The Abbott government intends to make telcos and internet companies store customers’ private data for two years – but industry players say the government has declined to mandate or even spell out any special security arrangements to ensure consumer privacy is protected.

iiNet has released a paper reflecting the consultations the company is having with the attorney general’s department about the mandatory data retention scheme the Abbott government is proposing as part of its tough counter-terrorism measures.

The company says in discussions thus far, security issues have been off the table. iiNet has raised some alarm at this prospect. “Retaining the proposed data set for two years involves significant security risk, and significant associated cost to manage this risk,” it says.

The company says government officials have provided “no guidance” on the security protocols that would apply to storing people’s private communications data.

“No guidance has been provided on other practical issues such as whether communications providers will be free to seek the lowest cost solutions,” iiNet says in its summation of the consultations. “For example, will offshore cloud storage be acceptable or will the data be required to be stored in Australia?”

The company – which argues that blanket data retention equates to mass surveillance – notes that “the retention of a vast set of personal information would likely prove to be an appealing target for hackers all around the world – creating a risk of identity theft in the event of a data breach.”

Reassuring people that their private data will be stored safely would appear to be a critical component of building public support or confidence in such a scheme.

But John Stanton from the telco industry body, the Communications Alliance, told Guardian Australia on Thursday that government officials had not yet spelled out any specific security requirements applying to the proposed scheme.

“We’ve discussed that with the attorney general’s department and there’s no [security] requirement at this stage,” he said. “It’s an issue I imagine we’ll have to revisit.”

Draft legislation to create the mandatory data retention scheme could be produced for parliamentary consideration within two weeks – yet key industry players have no idea who will pay for the costs associated with the scheme.

Stanton said no information had been forthcoming, and the “industry was continuing to press for clarity on cost”.

iiNet said not only would Australians face privacy risks associated with having their communications information stored, they would have to carry the cost if the government didn’t intend to pay for the scheme.

“There has been no suggestion by the government that it would reimburse or even contribute to the substantial costs incurred by providers in complying with a mandatory data retention regime,” the company says in its paper. “In these circumstances, consumers will ultimately bear these costs.”

iiNet also notes that thus far, federal officials have not proposed to narrow the range of bodies that can currently access consumer metadata. Consumer data has not only been accessed by police and intelligence agencies in recent years, but by groups like the RSPCA, local councils, the Tax Practitioners Board and the Victorian taxi directorate.

There have been calls to narrow the range of people who can have access to stored data – including by parliament’s joint intelligence committee when mandatory data retention was first proposed in 2013.

The government has not released a private industry consultation paper where it spells out the categories of information it wants telcos and ISPs to capture.

But iiNet has released the full list in its paper. The categories of data include: