[AusNOG] Mandatory data breach notification will become law in Australia
James Hodgkinson
yaleman at ricetek.net
Tue Feb 28 12:43:33 EST 2017
> The DR legislation shows us just how these things can get way out
> of hand.
Not sure how this is relevant - DR is specifically about retaining
information until a request - not reporting it when you have a breach.
James
On Tue, 28 Feb 2017, at 11:18, Matt Perkins wrote:
> I was not suggesting that a business not do everything within it's
> power to secure your data. I believe in the most part most businesses
> do their best. Some miss the mark that's true. But I dont think cases
> of reckless intent a everywhere. If a business were reckless I would
> think they likely would just lie about reporting it in any case. If
> the business were reckless perhaps the data was stolen and they didnt
> even know ?
>
> If it was just a requirement to report on an incident I would be fine
> with that. But history has shown us that that will not be the case.
> There will likely be some requirement to perhaps register your
> policy with a body that could perhaps charge you for that
> registration. There might be reporting requirements and forms
> quarterly and who knows what else.
>
> The DR legislation shows us just how these things can get way out
> of hand.
>
> I hope im proved wrong and it's just as it looks a reporting
> requirement after and incident. We will see.
>
> Matt.
>
>
>
>
> On 28/2/17 12:03 pm, Mark Newton wrote:
>>
>>> On Feb 28, 2017, at 11:52 AM, Morgan Reed <morgan at darkglade.com>
>>> wrote:
>>>
>>> PCI and the like helps, but that only applies to specific parts of
>>> the market, there are still plenty of players out there who have
>>> enough PII about people to allow their ID to be stolen.
>>
>> Target was PCI compliant.
>>
>> Catchoftheday was PCI compliant, nobody found out about their data
>> breaches until three years later.
>>
>> PCI compliance doesn’t help at all. It’s orthogonal to this problem
>> space, it protects credit card issuers, not users. The only thing it
>> tries to protect is transaction records, and even then it only
>> protects them to the extent necessary to avoid *en masse *disclosure
>> of (name, credit card, expiry, CVV) tuples.
>>
>>> Mandatory breach notification will at least mean that you KNOW your
>>> info was stolen, so you can do something about it, versus finding
>>> out three to six months down the line when you start getting calls
>>> from debt collectors chasing you for payments on the half-dozen or
>>> more credit cards that have been signed up in your name and then
>>> maxed out.
>>
>> Yep, this.
>>
>> If you’re a small or large org, and I’m your customer, and you don’t
>> secure MY data, you can go and die in a goddamn fire. I don’t care
>> how much it affects your profitability, if I’ve disclosed valuable
>> personal information to you, you have a responsibility to do whatever
>> it takes to deserve my trust.
>>
>> If you’re upset because your products or business practices are so
>> hopelessly insecure that adequately discharging that responsibility
>> makes you unprofitable, then cry me a river. You shouldn’t be in
>> business.
>>
>>
>> - mark
>>
>>
>
>
> -- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd.
> Ltd. Office 1300 133 299 matt at spectrum.com.au Level 6, 350
> George Street Sydney 2000 Spectrum Networks is a member of the
> Communications Alliance & TIO */
>
> _________________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170228/298d7c33/attachment.html>
More information about the AusNOG
mailing list