<div dir="auto">The mandatory reporting isn't designed to push those who hold PII into protecting it better (though I suspect that will be a side effect, having to announce a breach could well be embarrassing).<div dir="auto"><br></div><div dir="auto">Mandatory notification is designed to inform owners of their PII (make no mistake, if the PII is about you, the law says you own it, not the entity who has collected it) that their data has fallen into "the wrong hands" (basically, someone with whom they don't have an agreement regarding their PII), so that they are aware of the issue and can take appropriate actions (change passwords, cancel credit cards, check credit histories, etc).</div><div dir="auto"><br></div><div dir="auto">Why was this necessary? Because until this becomes law, there is no legal obligation (let's ignore ethical/moral for now) to tell people (or tell them in a timely manner) that a breach has occurred, leaving people exposed withour knowledge.</div><div dir="auto"><br></div><div dir="auto">Back to the ethical/moral obligations, this should never have been an issue, but, well, I won't comment here further.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 28 Feb 2017 12:10 AM, "Paul Wilkins" <<a href="mailto:paulwilkins369@gmail.com">paulwilkins369@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Superficially it seems that this is a step in the right direction - that we can't expect to see meaningful improvements to the security of systems and networks without a measure of the extent of security violations.<br><br>On the other, I don't see where reporting will necessarily lead to meaningful change. Even the preamble to the Act cites rising levels of security breaches as justification. But if one adopts a more realistic(fatalistic) view of the security horizon, where everyone knows that security on the internet is basically a broken concept, then we are measuring something that can't be changed, the rate of security breaches will only continue to rise, while the government Canute like commands the rising tide to recede when it shows no inclination to acquiesce to the request.<br><br>There is a real risk that the powers within the act are going to be used to little effect other than as a rod with which to flog a dead horse for the edification of the electorate.<br><br></div>Kind regards<br><br></div>Paul Wilkins<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 27 February 2017 at 18:23, Chris Legg <span dir="ltr"><<a href="mailto:cdlegg@iinet.net.au" target="_blank">cdlegg@iinet.net.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Copied from another source:<br>
<br>
<br>
Australia will have a mandatory data breach notification scheme in place within the year after several aborted attempts, following the passage of legislation through the senate on Feb 13th.<br>
<br>
<a href="http://www.theaustralian.com.au/business/technology/data-breach-scheme-to-become-law/news-story/8c2765681201c0d1c58ece2ebc3022c5" rel="noreferrer" target="_blank">http://www.theaustralian.com.a<wbr>u/business/technology/data-bre<wbr>ach-scheme-to-become-law/news-<wbr>story/8c2765681201c0d1c58ece2e<wbr>bc3022c5</a><br>
<br>
This ruling applies to all government entities and organizations with a turnover greater than $3 million a year. Entities with turnover of less than $3 million a year fall outside the legislation.<br>
<br>
The newly passed law means organizations that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach.<br>
______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a><br>
</blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/<wbr>mailman/listinfo/ausnog</a><br>
<br></blockquote></div></div>