How the government helped the Commonwealth keep its breach secret
The Commonwealth Bank would have been forced to disclose its mammoth data breach if the government had fulfilled its promise of requiring companies to report breaches. But instead the government took three years to do it.
On March 3, 2015, then-Attorney-General George Brandis and the then-Communications Minister, Malcolm Turnbull, gave a solemn undertaking in response to the parliamentary committee that had examined, and approved, Tony Abbott's data retention legislation. In the view of the Joint Committee on Intelligence and Security, if the government was going to force companies to retain the private information of citizens, citizens needed to know they would be told if their stored information was stolen. "The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015," its final report said.
Brandis and Turnbull supported that. "The Government agrees to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on draft legislation," they said. It was clear cut, and the government had more than nine months to get it up and running.