Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Monday, 13 February 2017
Page: 606


Senator LUDLAM (Western AustraliaCo-Deputy Leader of the Australian Greens) (12:50): I thank the minister for his answer and thank other senators for their contributions. The second two amendments—which I will move shortly, once we have dealt with this one—go to the fact that with many data breaches, such as those that I, Labor senators and Senator Griff identified during our contributions, it takes some time before some of these companies or departments even know that they have had a breach. So the clock is not ticking from the time they realise they have lost control of people's information but from the time that the breach occurs. That could be weeks, months or, in some cases, years after the breach is discovered. I believe that in most cases in the list of examples I read earlier it was a period of weeks before the breach was actually discovered, at which point your obligations begin.

I take Senator Brandis's point; 'expeditious' is entirely appropriate. That implies that the ICT teams get moving and try to identify what has actually happened. What we do not want to have is companies and departments being tied up for up to 30 days, working as rapidly as they can, trying to figure out whether they are obliged to report the breach. We would rather just see, on balance, that the reporting happens earlier. That will go to the second amendment that we are going to move shortly. We think 30 days is far too long and we also believe you have identified the reason that it is far too long in your own explanatory memorandum, where you have said—I am going to put this on the record one last time:

… the average number of days between a breach and the individual being notified was 405 days, whereas the average time between a data breach and the misuse of compromised information was 72 hours—

three days. You have made the case for three days in your EM, probably more eloquently than I am this morning. I am seeking your guidance, Mr Temporary Chair. I am taking Senator Griff's advice in the interests of compromise and wish to substitute 'five days' for 'three days'. Do I need leave to amend 'three days' to read 'five days'?

The TEMPORARY CHAIR ( Senator Bernardi ): You would need to seek leave.

Senator LUDLAM: I seek leave.

Leave granted.

Senator LUDLAM: Do I need to move that or is that done?

The TEMPORARY CHAIR: Perhaps you could explain your amendment for us.

Senator LUDLAM: Amendment (1) on sheet 8055 is substituting 'five days' for 'three days' as circulated.

The TEMPORARY CHAIR: The question is that that amendment be agreed to. Those of that opinion say aye and against say no. I think the noes have it on that amendment.

Senator LUDLAM: In that case I will put the amendment. If Senator Brandis is not interested in even two days—

The TEMPORARY CHAIR: Just one moment, Senator Ludlam. I think the Attorney may have something to share, so could you resume your seat.