[AusNOG] Mandatory data breach notification will become law in Australia

Matt Perkins matt at spectrum.com.au
Tue Feb 28 12:18:27 EST 2017 

I was not suggesting that a business not do everything within it's power 
to secure your data. I believe in the most part most businesses do their 
best. Some miss the mark that's true. But I dont think cases of reckless 
intent a everywhere. If a business  were reckless I would think they 
likely would just lie about reporting it in any case.  If the business 
were reckless perhaps the data was stolen and they didnt even know ?

If it was just a requirement to report on an incident I would be fine 
with that. But history has shown us that that will not be the case. 
There will likely be some requirement to  perhaps register your policy 
with a body that could perhaps charge you for that registration. There 
might be reporting requirements and forms quarterly and who knows what 
else.

The DR legislation shows us just how these things can get way out of hand.

I hope im proved wrong and it's just as it looks a reporting requirement 
after and incident. We will see.

Matt.




On 28/2/17 12:03 pm, Mark Newton wrote:
>
>> On Feb 28, 2017, at 11:52 AM, Morgan Reed <morgan at darkglade.com 
>> <mailto:morgan at darkglade.com>> wrote:
>>
>> PCI and the like helps, but that only applies to specific parts of 
>> the market, there are still plenty of players out there who have 
>> enough PII about people to allow their ID to be stolen.
>
> Target was PCI compliant.
>
> Catchoftheday was PCI compliant, nobody found out about their data 
> breaches until three years later.
>
> PCI compliance doesn’t help at all. It’s orthogonal to this problem 
> space, it protects credit card issuers, not users. The only thing it 
> tries to protect is transaction records, and even then it only 
> protects them to the extent necessary to avoid /en masse /disclosure 
> of (name, credit card, expiry, CVV) tuples.
>
>> Mandatory breach notification will at least mean that you KNOW your 
>> info was stolen, so you can do something about it, versus finding out 
>> three to six months down the line when you start getting calls from 
>> debt collectors chasing you for payments on the half-dozen or more 
>> credit cards that have been signed up in your name and then maxed out.
>
> Yep, this.
>
> If you’re a small or large org, and I’m your customer, and you don’t 
> secure MY data, you can go and die in a goddamn fire. I don’t care how 
> much it affects your profitability, if I’ve disclosed valuable 
> personal information to you, you have a responsibility to do whatever 
> it takes to deserve my trust.
>
> If you’re upset because your products or business practices are so 
> hopelessly insecure that adequately discharging that responsibility 
> makes you unprofitable, then cry me a river. You shouldn’t be in business.
>
>
>   - mark
>
>


-- 
/* Matt Perkins
         Direct 1300 137 379        Spectrum Networks Ptd. Ltd.
         Office 1300 133 299        matt at spectrum.com.au
                                    Level 6, 350 George Street Sydney 2000
         Spectrum Networks is a member of the Communications Alliance & TIO
*/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170228/78dcf622/attachment.html>

More information about the AusNOG mailing list