[AusNOG] Mandatory data breach notification will become law in Australia

Mark Newton newton at atdot.dotat.org
Tue Feb 28 12:03:00 EST 2017

> On Feb 28, 2017, at 11:52 AM, Morgan Reed <morgan at darkglade.com> wrote:
> PCI and the like helps, but that only applies to specific parts of the market, there are still plenty of players out there who have enough PII about people to allow their ID to be stolen.

Target was PCI compliant. 

Catchoftheday was PCI compliant, nobody found out about their data breaches until three years later.

PCI compliance doesn’t help at all. It’s orthogonal to this problem space, it protects credit card issuers, not users. The only thing it tries to protect is transaction records, and even then it only protects them to the extent necessary to avoid en masse disclosure of (name, credit card, expiry, CVV) tuples.

> Mandatory breach notification will at least mean that you KNOW your info was stolen, so you can do something about it, versus finding out three to six months down the line when you start getting calls from debt collectors chasing you for payments on the half-dozen or more credit cards that have been signed up in your name and then maxed out.

Yep, this.

If you’re a small or large org, and I’m your customer, and you don’t secure MY data, you can go and die in a goddamn fire. I don’t care how much it affects your profitability, if I’ve disclosed valuable personal information to you, you have a responsibility to do whatever it takes to deserve my trust.

If you’re upset because your products or business practices are so hopelessly insecure that adequately discharging that responsibility makes you unprofitable, then cry me a river. You shouldn’t be in business.

  - mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170228/8d61312b/attachment.html>

More information about the AusNOG mailing list