<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>> The DR legislation shows us just how these things can get way out of hand. <br></div>
<div><br></div>
<div>Not sure how this is relevant - DR is specifically about retaining information until a request - not reporting it when you have a breach.<br></div>
<div><br></div>
<div>James<br><br></div>
<div><br></div>
<div>On Tue, 28 Feb 2017, at 11:18, Matt Perkins wrote:<br></div>
<blockquote type="cite"><div><div>I was not suggesting that a business
not do everything within it's power to secure your data. I believe
in the most part most businesses do their best. Some miss the mark
that's true. But I dont think cases of reckless intent a
everywhere. If a business were reckless I would think they likely
would just lie about reporting it in any case. If the business
were reckless perhaps the data was stolen and they didnt even know
? <br></div>
<div> <br></div>
<div> If it was just a requirement to report on an incident I would be
fine with that. But history has shown us that that will not be the
case. There will likely be some requirement to perhaps register
your policy with a body that could perhaps charge you for that
registration. There might be reporting requirements and forms
quarterly and who knows what else. <br></div>
<div> <br></div>
<div> The DR legislation shows us just how these things can get way out
of hand. <br></div>
<div> <br></div>
<div> I hope im proved wrong and it's just as it looks a reporting
requirement after and incident. We will see. <br></div>
<div> <br></div>
<div> Matt.<br></div>
<div> <br></div>
<div> <br></div>
<div> <br></div>
<div> <br></div>
<div> On 28/2/17 12:03 pm, Mark Newton wrote:<br></div>
</div>
<blockquote type="cite"><div><br></div>
<div><blockquote type="cite"><div>On Feb 28, 2017, at 11:52 AM, Morgan Reed <<a href="mailto:morgan@darkglade.com">morgan@darkglade.com</a>> wrote:<br></div>
<div><div dir="ltr"><div><div defang_data-gmailquote="yes"><div><br></div>
<div>PCI and the like helps, but that only
applies to specific parts of the market, there are
still plenty of players out there who have enough
PII about people to allow their ID to be stolen.<br></div>
</div>
</div>
</div>
</div>
</blockquote><div><br></div>
<div>Target was PCI compliant. <br></div>
</div>
<div><br></div>
<div>Catchoftheday was PCI compliant, nobody found out about their
data breaches until three years later.<br></div>
<div><br></div>
<div>PCI compliance doesn’t help at all. It’s orthogonal to this
problem space, it protects credit card issuers, not users. The
only thing it tries to protect is transaction records, and even
then it only protects them to the extent necessary to avoid <i>en masse </i>disclosure of (name, credit card,
expiry, CVV) tuples.<br></div>
<div><div><br></div>
<blockquote type="cite"><div><div dir="ltr"><div><div defang_data-gmailquote="yes"><div>Mandatory breach notification will at
least mean that you KNOW your info was stolen, so
you can do something about it, versus finding out
three to six months down the line when you start
getting calls from debt collectors chasing you for
payments on the half-dozen or more credit cards that
have been signed up in your name and then maxed out.<br></div>
</div>
</div>
</div>
</div>
</blockquote></div>
<div><br></div>
<div>Yep, this.<br></div>
<div><br></div>
<div>If you’re a small or large org, and I’m your
customer, and you don’t secure MY data, you can go and die in a
goddamn fire. I don’t care how much it affects your
profitability, if I’ve disclosed valuable personal information
to you, you have a responsibility to do whatever it takes to
deserve my trust.<br></div>
<div><br></div>
<div>If you’re upset because your products or business
practices are so hopelessly insecure that adequately discharging
that responsibility makes you unprofitable, then cry me a river.
You shouldn’t be in business.<br></div>
<div><br></div>
<div><br></div>
<div> - mark<br></div>
<div><br></div>
<div><br></div>
</blockquote><div><br></div>
<p><br></p><pre>--
/* Matt Perkins
Direct 1300 137 379 Spectrum Networks Ptd. Ltd.
Office 1300 133 299 <a href="mailto:matt@spectrum.com.au">matt@spectrum.com.au</a>
Level 6, 350 George Street Sydney 2000
Spectrum Networks is a member of the Communications Alliance & TIO
*/
<br></pre><div><u>_______________________________________________</u><br></div>
<div>AusNOG mailing list<br></div>
<div><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br></div>
<div><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br></div>
</blockquote><div><br></div>
</body>
</html>