Australian Mandatory data breach notification scheme: industry support Telstra and Macquarie Telecom have lent public conditional support to the Federal government's December 2015 exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Bill). The Bill proposes to introduce a mandatory requirement for entities subject to the Privacy Act 1988 (Cth) to notify affected individuals and the Privacy Commissioner if there are reasonable grounds to believe a serious data breach has occurred. Following the consultation process on the exposure draft, a submission from Macquarie Telecom has described the notification scheme as "warranted and timely" and a logical follow-on from mandatory data retention requirements, necessary to ensure that the large amounts of data collected under that regime are adequately protected. "The reporting of breaches is also an important element in a robust national cyber security stance. At a time when more than ever before ICT infrastructure is network-enabled, the national ICT infrastructure is in some very important ways only as strong as its weakest links. This is true both in terms of the robustness of the infrastructure itself and of the trust and confidence that underpins its use," Macquarie stated. In voicing its support for the obligatory nature of the notification requirements across the board, Macquarie stated that end-user access to an independent agency for redress and advice would become an important element under the Bill in order to build end-user confidence in cloud-based services. However, both Macquarie Telecom and Telstra have also called for some changes to the Bill. Telstra has stated that it would support any effort to translate the present voluntary reporting guidelines into a legislative instrument, but noted that the compliance cost of new legislation may be prohibitive for smaller providers. Macquarie Telecom has mirrored concerns raised by Comms Alliance that the suggested notification mechanism has the potential to create "notification fatigue". This is because data can be held by multiple entities (such as carriers, call centre operators and cloud service providers), and if every holding entity is required to separately notify affected individuals of a breach, individuals may not be aware that notifications relate to the same breach, or may be in receipt of such a number of notifications that their responsiveness becomes limited. As such, Comms Alliance and Macquarie Telecom have stated that they support a mechanism whereby only one entity notifies end-users of data breaches. For more information, please contact Anne-Marie Allgrove, Toby Patten or Matthew Dempsey.