[AusNOG] Mandatory data breach notification will become law in Australia

James Hodgkinson yaleman at ricetek.net
Tue Feb 28 12:43:33 EST 2017


> The DR legislation shows us just how these things can get way out
> of hand.


Not sure how this is relevant - DR is specifically about retaining
information until a request - not reporting it when you have a breach.


James




On Tue, 28 Feb 2017, at 11:18, Matt Perkins wrote:

> I was not suggesting that a business not do everything within it's
> power to secure your data. I believe in the most part most businesses
> do their best. Some miss the mark that's true. But I dont think cases
> of reckless intent a everywhere. If a business  were reckless I would
> think they likely would just lie about reporting it in any case.  If
> the business were reckless perhaps the data was stolen and they didnt
> even know ?
> 

>  If it was just a requirement to report on an incident I would be fine
>  with that. But history has shown us that that will not be the case.
>  There will likely be some requirement to  perhaps register your
>  policy with a body that could perhaps charge you for that
>  registration. There might be reporting requirements and forms
>  quarterly and who knows what else.
> 

>  The DR legislation shows us just how these things can get way out
>  of hand.
>   

>  I hope im proved wrong and it's just as it looks a reporting
>  requirement after and incident. We will see.
> 

>  Matt.

> 

> 

>   

> 

>  On 28/2/17 12:03 pm, Mark Newton wrote:

>> 

>>> On Feb 28, 2017, at 11:52 AM, Morgan Reed <morgan at darkglade.com>
>>> wrote:
>>> 

>>> PCI and the like helps, but that only applies to specific parts of
>>> the market, there are still plenty of players out there who have
>>> enough PII about people to allow their ID to be stolen.
>> 

>> Target was PCI compliant. 

>> 

>> Catchoftheday was PCI compliant, nobody found out about their data
>> breaches until three years later.
>> 

>> PCI compliance doesn’t help at all. It’s orthogonal to this problem
>> space, it protects credit card issuers, not users. The only thing it
>> tries to protect is transaction records, and even then it only
>> protects them to the extent necessary to avoid *en masse *disclosure
>> of (name, credit card, expiry, CVV) tuples.
>> 

>>> Mandatory breach notification will at least mean that you KNOW your
>>> info was stolen, so you can do something about it, versus finding
>>> out three to six months down the line when you start getting calls
>>> from debt collectors chasing you for payments on the half-dozen or
>>> more credit cards that have been signed up in your name and then
>>> maxed out.
>> 

>> Yep, this.

>> 

>> If you’re a small or large org, and I’m your customer, and you don’t
>> secure MY data, you can go and die in a goddamn fire. I don’t care
>> how much it affects your profitability, if I’ve disclosed valuable
>> personal information to you, you have a responsibility to do whatever
>> it takes to deserve my trust.
>> 

>> If you’re upset because your products or business practices are so
>> hopelessly insecure that adequately discharging that responsibility
>> makes you unprofitable, then cry me a river. You shouldn’t be in
>> business.
>> 

>> 

>>   - mark

>> 

>> 

> 

>


> -- /* Matt Perkins Direct 1300 137 379        Spectrum Networks Ptd.
> Ltd. Office 1300 133 299        matt at spectrum.com.au Level 6, 350
> George Street Sydney 2000 Spectrum Networks is a member of the
> Communications Alliance & TIO */
>
> _________________________________________________

> AusNOG mailing list

> AusNOG at lists.ausnog.net

> http://lists.ausnog.net/mailman/listinfo/ausnog


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170228/298d7c33/attachment.html>


More information about the AusNOG mailing list