Credit: Dreamstime
Both proposed amendments were voted down.
“The threshold, according to who this bill applies to, shouldn’t have anything to do with turnover,” Ludlam said during a debate on the Bill in the Senate. “It should have more to with how much data these organisations are holding.”
Ludlam also questioned why the legislation does not apply to political parties.
As noted in the Bill’s explanatory memorandum, the new provisions are expected to see businesses affected by the new legislation incur a cost related to compliance.
“Whilst not quantified, a number of administrative costs have been identified by industry groups, such as creating notification methods, formalising internal processes and increased insurance and legal costs,” the explanatory memorandum stated.
In September last year, CyberArk released research findings that suggesting that just 34 per cent of Australians surveyed felt their businesses were completely prepared to handle mandatory breach notification requirements.
“It can be inferred, therefore that there is a lack of confidence about either being able to identify a breach, or in existing emergency response plans – including providing the necessary information to the executive team, who would be responsible for the public breach notification,” the survey report stated.
Among the local channel community, the legislation has received mixed reviews.
Mandiant director of threat intelligence and consulting, Tim Wellsmore, suggested late last year that he was not sure that the public and industry had enough clarity around what the legislation was trying to achieve.
"Are we trying to put in breach disclosure legislation to protect the privacy of individuals? And if so, [the legislation] doesn’t reach all of the requirements to do that. From my reading of it, small to medium enterprises are not included,” Wellsmore said, mirroring Ludlam’s concerns.
"I don’t think we have a clear success goal here. If we are here to try and protect the privacy of individuals then if any individual data has been leaked, people need to know about it, and yet we have all those exemptions,” he said at the time.
The new laws will come into effect by either a proclaimed date, or a year after they receive Royal Assent.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.