<div dir="ltr">Here Here..<div><br></div><div>I'm watching the commentary on this thread with interest. As a security guy I have been looking at this data breach legislation for a while, and was active in the submission phase etc. Too much legislation and it ends up like California, where everyone gets 3 notices a week, and they end up meaning nothing, too little and large companies continue to be complacent about security and privacy, and sweep these breaches under the carpet with impunity.<div><div><br></div><div>Is the legislation perfect? - No far from it, but it's a lot better better than nothing, and miles ahead of the initial drafts. </div><div><br></div><div>Will it change anything for responsible companies?, No - the correct thing to do has always been to inform your customers as quickly as possible after you become aware of any breach with the potential to cause harm.</div><div><br></div><div>The DR legislation means that an awful lot of the companies on this list are now retaining far more PII than ever before, and the implications of this are far reaching.</div><div><br></div><div>If you hate the thought of having to notify customers when you get breached, then your best response is to put your effort (and perhaps some portion of your DRIP payments) towards securing your systems so that this is much less likely to occur.<br></div><div><br></div><div>Having worked for ISP's prior to becoming a security consultant who now spends his time looking at the security posture of all types of organisations in all types of industries, I can tell you that in my experience the ISP industry is a long way behind where it should be in terms of security posture given the high concentrations of technically adept people at their disposal. </div><div><br></div><div>Some of this is arrogance which leads to a reticence to seek assistance, some of this is to do with the competitive nature of the industry driving low margins, some of this is to do with scale, in that by it's nature, carrier networks require large public footprints, that result in large attack surfaces. </div><div><br></div><div>By way of an example, We have a security collaboration <a href="http://portal.securitycolony.com/">portal</a> that is crammed full of useful resources that can assist organisations in improving their security posture through handling incident response. We even have<a href="https://blog.hivint.com/cybersecurity-incident-breach-disclosure-guide-9ef996caeaf5#.a57f7oz92"> videos telling you how best to handle a breach notification</a>. Amongst all of the companies that are utilising this resource, ISP's are amongst the most poorly represented.</div></div></div><div><br></div><div>Eric Pinkerton</div><div><a href="http://hivint.com">hivint.com</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 28 February 2017 at 14:43, Chad Kelly <span dir="ltr"><<a href="mailto:chad@cpkws.com.au" target="_blank">chad@cpkws.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2/28/2017 12:00 PM, <a href="mailto:ausnog-request@lists.ausnog.net" target="_blank">ausnog-request@lists.ausnog.ne<wbr>t</a> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Im suggesting that more and more government regulation does but one<br>
thing push small guys out of the market. It wont just be a reporting<br>
requirement but there will be forms reports. Reporting officers etc<br>
etc. It's not the reporting requirement I have a problem with it's all<br>
the red tape that's going to go with it.<br>
<br>
The government needs to learn that 3million turnover is not a large<br>
business. Why can these things not be decided on profit. There's a lot<br>
of small operators that collect 3 million and then turn over the bulk of<br>
that AAPT/Telstra/Optus/Vocus .<br>
<br>
Yet the government treats them like AAPT/Telstra/Optus/Vocus<br>
</blockquote>
<br>
Don't you remember what happened with Distribute IT?<br>
<br>
I wouldn't consider $3000000 turnover as a small business either, more of a medium sized one, but you should be preventing these data breaches in the first place and have policies on who can access what information within the business.<br>
<br>
Depending on the size of the business and the type of data that is being collected you should also have written policies on what happens if a breach occurs.<br>
<br>
You should also have appropriate levels of insurance to make sure you are covered in case something happens.<br>
<br>
Also if you don't want to file reports yourself you have the option of highering a personal assistant to take care of those tasks.<br>
<br>
I think its actually a good thing that the federal government is starting to take IT security more seriously and that they are starting to crack down on this stuff.<br>
<br>
Though writing reports still won't actually prevent breaches so you still need good security practices in place.<br>
<br>
Regards Chad.<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
-- <br>
Chad Kelly<br>
Manager<br>
CPK Web Services<br>
web <a href="http://www.cpkws.com.au" rel="noreferrer" target="_blank">www.cpkws.com.au</a><br>
phone 03 5273 0246<br>
<br>
______________________________<wbr>_________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailma<wbr>n/listinfo/ausnog</a><br>
</font></span></blockquote></div><br></div>