The claim by ADMA that there is no evidence of widespread breaches is easy to make while they attempt to block a law that would provide exactly that evidence. As it stands, the only evidence the public sees of these breaches is what businesses want us to see, or when the media finds out about a breach and alerts the public. It's not exactly conducive to evidence-based policy.
One criticism of the proposed bill has been vagueness. The breach must present "a real risk of serious harm" but the bill doesn't provide a clear definition of either "real risk" or '"serious harm". A "real risk" is defined as a risk that is "not remote". But such language is a normal part of much legislation today and ensures that courts are able to enforce the spirit of the law and avoid getting caught up in legal hair-splitting.
Indeed, the vagueness in the bill is likely to be used by businesses to avoid reporting as often as possible. ADMA also misrepresents the way the bill would operate in regard to this test. The bill does not say "Report your breaches, and we will tell you if they are serious or not" as ADMA claims. The bill simply requires businesses to make a judgement of whether the breach represents a real risk of serious harm or not, and to report it if it does. This same test is in the Privacy Commissioner's guideline - a voluntary guideline that's been around for several years and represents best practice - which ADMA notes is clear and comprehensive.
ADMA claims that businesses "are often the victims" of these breaches, even though businesses don't have their own personal information - a business can be the victim of a computer attack, but it is individuals who are the victims of personal information breaches.
It has taken five years for this bill to emerge following the review of Australia's privacy laws, and having missed the Senate in June it may take even longer to pass. Let's not allow vested interests to further delay an important protection that is critical in a digital world.
Sign up for CIO Asia eNewsletters.