The proposal, which follows similar moves in the United States and elsewhere, has been championed by the security industry and consumer groups as beneficial to consumers who may become victims of fraud as a result, while allowing for a greater public conversation on the need for security.
Consumer advocacy group the Australian Communications Consumer Action Network pointed to repeated breaches of major telecommunications companies as a reason to introduce the reforms.
But peak industries bodies including the Australian Bankers' Association and Communications Alliance have criticised the proposal as overly cumbersome for companies, preferring the existing scheme to voluntarily notify customers and the wider public of any data breaches.
They said new regulations would force some companies to change IT systems to monitor for potential breaches, or seek legal assurance on when to disclose minor or major breaches of security.
"Organisations will have to adjust existing compliance systems for reporting and notification of serious data breaches significantly affecting identifiable individuals without the knowledge of the scope of other circumstances which are later defined by regulations," the ABA said in a submission to the committee considering the proposal.
INDUSTRY CONSULTATION WAS RUSHED
Communications Alliance, which represents companies including Telstra, said industry consultation on the proposal had been rushed by the federal government and companies would not be able to adjust their systems in time to meet the new laws.
"The implementation of a mandatory data breach system is likely to be costly," it said.
"This, of course, may depend on what current systems are in place within each business, as well as the costs of ensuring compliance with a mandatory scheme."
Other groups, such as the Australian Finance Conference, argued there was no evidence for a market failure that required additional legislation.
But others have been more supportive of a move to more tightly regulate company compliance surrounding security.
"It definitely has awoken, I guess, the corporate consciousness in companies that may be hadn't thought of it before," Ms Pemberton said.
She said discussions surrounding data breach notification had already prompted several companies to increase their security and get ready for the impending regulations.
But security consultant Alastair MacGibbon said some companies were in denial about threats to their security.
"I think there's an element of wilful blindness around board rooms," he said. "I think if you don't ask the question, you don't need to know the answer.
"If you asked any executive if you lost your intellectual property, what would happen, they'd say 'I've got no business any more'. But if you ask them what are the ways in which that information is going to be extracted from your organisation, that's not a question they're going to be able to answer."
Sign up for Computerworld eNewsletters.