[AusNOG] Mandatory data breach notification will become law in Australia

Robert Hudson hudrob at gmail.com
Tue Feb 28 13:21:04 EST 2017 

Perhaps read the legislation rather than guessing?

On 28 February 2017 at 12:18, Matt Perkins <matt at spectrum.com.au> wrote:

> I was not suggesting that a business not do everything within it's power
> to secure your data. I believe in the most part most businesses do their
> best. Some miss the mark that's true. But I dont think cases of reckless
> intent a everywhere. If a business  were reckless I would think they likely
> would just lie about reporting it in any case.  If the business were
> reckless perhaps the data was stolen and they didnt even know ?
>
> If it was just a requirement to report on an incident I would be fine with
> that. But history has shown us that that will not be the case. There will
> likely be some requirement to  perhaps register your policy with a body
> that could perhaps charge you for that registration. There might be
> reporting requirements and forms quarterly and who knows what else.
>
> The DR legislation shows us just how these things can get way out of hand.
>
> I hope im proved wrong and it's just as it looks a reporting requirement
> after and incident. We will see.
>
> Matt.
>
>
>
>
>
> On 28/2/17 12:03 pm, Mark Newton wrote:
>
>
> On Feb 28, 2017, at 11:52 AM, Morgan Reed <morgan at darkglade.com> wrote:
>
> PCI and the like helps, but that only applies to specific parts of the
> market, there are still plenty of players out there who have enough PII
> about people to allow their ID to be stolen.
>
>
> Target was PCI compliant.
>
> Catchoftheday was PCI compliant, nobody found out about their data
> breaches until three years later.
>
> PCI compliance doesn’t help at all. It’s orthogonal to this problem space,
> it protects credit card issuers, not users. The only thing it tries to
> protect is transaction records, and even then it only protects them to the
> extent necessary to avoid *en masse *disclosure of (name, credit card,
> expiry, CVV) tuples.
>
> Mandatory breach notification will at least mean that you KNOW your info
> was stolen, so you can do something about it, versus finding out three to
> six months down the line when you start getting calls from debt collectors
> chasing you for payments on the half-dozen or more credit cards that have
> been signed up in your name and then maxed out.
>
>
> Yep, this.
>
> If you’re a small or large org, and I’m your customer, and you don’t
> secure MY data, you can go and die in a goddamn fire. I don’t care how much
> it affects your profitability, if I’ve disclosed valuable personal
> information to you, you have a responsibility to do whatever it takes to
> deserve my trust.
>
> If you’re upset because your products or business practices are so
> hopelessly insecure that adequately discharging that responsibility makes
> you unprofitable, then cry me a river. You shouldn’t be in business.
>
>
>   - mark
>
>
>
>
> --
> /* Matt Perkins
>         Direct 1300 137 379        Spectrum Networks Ptd. Ltd.
>         Office 1300 133 299        matt at spectrum.com.au
>                                    Level 6, 350 George Street Sydney 2000
>         Spectrum Networks is a member of the Communications Alliance & TIO
> */
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170228/f1bf40d4/attachment.html>

More information about the AusNOG mailing list