[AusNOG] Mandatory data breach notification will become law in Australia

Robert Hudson hudrob at gmail.com
Tue Feb 28 07:54:58 EST 2017


The mandatory reporting isn't designed to push those who hold PII into
protecting it better (though I suspect that will be a side effect, having
to announce a breach could well be embarrassing).

Mandatory notification is designed to inform owners of their PII (make no
mistake, if the PII is about you, the law says you own it, not the entity
who has collected it) that their data has fallen into "the wrong hands"
(basically, someone with whom they don't have an agreement regarding their
PII), so that they are aware of the issue and can take appropriate actions
(change passwords, cancel credit cards, check credit histories, etc).

Why was this necessary? Because until this becomes law, there is no legal
obligation (let's ignore ethical/moral for now) to tell people (or tell
them in a timely manner) that a breach has occurred, leaving people exposed
withour knowledge.

Back to the ethical/moral obligations, this should never have been an
issue, but, well, I won't comment here further.

On 28 Feb 2017 12:10 AM, "Paul Wilkins" <paulwilkins369 at gmail.com> wrote:

> Superficially it seems that this is a step in the right direction - that
> we can't expect to see meaningful improvements to the security of systems
> and networks without a measure of the extent of security violations.
>
> On the other, I don't see where reporting will necessarily lead to
> meaningful change. Even the preamble to the Act cites rising levels of
> security breaches as justification. But if one adopts a more
> realistic(fatalistic) view of the security horizon, where everyone knows
> that security on the internet is basically a broken concept, then we are
> measuring something that can't be changed, the rate of security breaches
> will only continue to rise, while the government Canute like commands the
> rising tide to recede when it shows no inclination to acquiesce to the
> request.
>
> There is a real risk that the powers within the act are going to be used
> to little effect other than as a rod with which to flog a dead horse for
> the edification of the electorate.
>
> Kind regards
>
> Paul Wilkins
>
> On 27 February 2017 at 18:23, Chris Legg <cdlegg at iinet.net.au> wrote:
>
>> Copied from another source:
>>
>>
>> Australia will have a mandatory data breach notification scheme in place
>> within the year after several aborted attempts, following the passage of
>> legislation through the senate on Feb 13th.
>>
>> http://www.theaustralian.com.au/business/technology/data-bre
>> ach-scheme-to-become-law/news-story/8c2765681201c0d1c58ece2ebc3022c5
>>
>> This ruling applies to all government entities and organizations with a
>> turnover greater than $3 million a year. Entities with turnover of less
>> than $3 million a year fall outside the legislation.
>>
>> The newly passed law means organizations that determine they have been
>> breached or have lost data will need to report the incident to the Privacy
>> Commissioner and notify affected customers as soon as they become aware of
>> a breach.
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170228/0ba13124/attachment-0001.html>


More information about the AusNOG mailing list