Even in a case where such a disclosure were required, it would stand to reason that a grace period be provided in order to allow the affected company time to investigate, and hopefully rectify, the issue(s) that lead to the breach. Painting a target on ones back by announcing security concerns to the world - before having an opportunity to resolve them - may not be the best course of action and could very well lead to a compromise on a larger scale.<div>
<br></div><div>This having been said, depending on the data stolen, it would be hard to determine an acceptable period of time to "cover" the company affected; if any. Protecting a company from damages in favour of their subscribers personal and / or financial information doesn't sound too ethical in my books. Conversely, allowing further damage by forcing disclosure could be considered equally as dangerous / silly.</div>
<div><br></div><div>Back on topic: According to Twitter, and the previous news articles, some of the data is about to be released (<a href="https://twitter.com/Op_Australia">https://twitter.com/Op_Australia</a>)</div><div>
<br></div><div>P.</div><div><div><br><div class="gmail_quote">On Wed, Jul 25, 2012 at 7:28 PM, Paul Wilkins <span dir="ltr"><<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Australian legislation currently makes no requirement to report a data breach (though there may be an obligation at common law).<br>
<br>It's something legislators are considering:<br><br><a href="http://www.itnews.com.au/News/275598,data-breach-laws-to-follow-privacy-reforms.aspx" target="_blank">http://www.itnews.com.au/News/275598,data-breach-laws-to-follow-privacy-reforms.aspx</a><span class="HOEnZb"><font color="#888888"><br>
<br>Paul Wilkins<br><br><br></font></span><div class="gmail_quote"><div><div class="h5">On Wed, Jul 25, 2012 at 7:48 PM, Martin - StudioCoast <span dir="ltr"><<a href="mailto:martin.sinclair@studiocoast.com.au" target="_blank">martin.sinclair@studiocoast.com.au</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div bgcolor="#FFFFFF" text="#000000">
<div><font size="-1"><font face="Arial">Does
an ISP have a duty of disclosure for an information breach
such as this?<br>
My view is that they have an ethical duty to inform customers
but i'm not aware of if there are actually any laws to this
effect.<br>
<br>
If the hacker is telling the truth and the telco patched the
vulnerability then it seems likely they knew about it.</font></font>
</div>
<br>
</div>
<br></div></div><div class="im">_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></div></blockquote></div><br>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br><br></blockquote></div>
</div></div>