[AusNOG] Mandatory data breach notification will become, law in Australia

Mister Pink misterpink at gmail.com
Wed Mar 1 10:59:36 EST 2017 

Here Here..

I'm watching the commentary on this thread with interest.  As a security
guy I have been looking at this data breach legislation for a while, and
was active in the submission phase etc.   Too much legislation and it ends
up like California, where everyone gets 3 notices a week, and they end up
meaning nothing, too little and large companies continue to be complacent
about security and privacy, and sweep these breaches under the carpet with
impunity.

Is the legislation perfect? - No far from it, but it's a lot better better
than nothing, and miles ahead of the initial drafts.

Will it change anything for responsible companies?, No - the correct thing
to do has always been to inform your customers as quickly as possible after
you become aware of any breach with the potential to cause harm.

The DR legislation means that an awful lot of the companies on this list
are now retaining far more PII than ever before, and the implications of
this are far reaching.

If you hate the thought of having to notify customers when you get
breached, then your best response is to put your effort (and perhaps some
portion of your DRIP payments) towards securing your systems so that this
is much less likely to occur.

Having worked for ISP's prior to becoming a security consultant who now
spends his time looking at the security posture of all types of
organisations in all types of industries, I can tell you that in my
experience the ISP industry is a long way behind where it should be in
terms of security posture given the high concentrations of technically
adept people at their disposal.

Some of this is arrogance which leads to a reticence to seek assistance,
some of this is to do with the competitive nature of the industry driving
low margins, some of this is to do with scale, in that by it's nature,
carrier networks require large public footprints, that result in large
attack surfaces.

By way of an example, We have a security collaboration portal
<http://portal.securitycolony.com/> that is crammed full of useful
resources that can assist organisations in improving their security posture
through handling incident response. We even have videos telling you how
best to handle a breach notification
<https://blog.hivint.com/cybersecurity-incident-breach-disclosure-guide-9ef996caeaf5#.a57f7oz92>.
Amongst all of the companies that are utilising this resource, ISP's are
amongst the most poorly represented.

Eric Pinkerton
hivint.com

On 28 February 2017 at 14:43, Chad Kelly <chad at cpkws.com.au> wrote:

> On 2/28/2017 12:00 PM, ausnog-request at lists.ausnog.net wrote:
>
>> Im suggesting that more and more government regulation does but one
>> thing push small guys out of the market.  It wont just be a reporting
>> requirement but there will be forms reports. Reporting officers etc
>> etc.  It's not the reporting requirement I have a problem with it's all
>> the red tape that's going to go with it.
>>
>> The government needs to learn that 3million turnover  is not a large
>> business.  Why can  these things not be decided on profit. There's a lot
>> of small operators that collect 3 million and then turn over the bulk of
>> that  AAPT/Telstra/Optus/Vocus .
>>
>> Yet the government treats them like AAPT/Telstra/Optus/Vocus
>>
>
> Don't you remember what happened with Distribute IT?
>
> I wouldn't consider $3000000 turnover as a small business either, more of
> a medium sized one, but you should be preventing these data breaches in the
> first place and have policies on who can access what information within the
> business.
>
> Depending on the size of  the business and the type of data that is being
> collected you should also have written policies on what happens if a breach
> occurs.
>
> You should also have appropriate levels of insurance to make sure you are
> covered in case something happens.
>
> Also if you don't want to file reports yourself you have the option of
> highering a personal assistant to take care of those tasks.
>
> I think its actually a good thing that the federal government is starting
> to take IT security more seriously and that they are starting to crack down
> on this stuff.
>
> Though writing reports still won't actually prevent breaches so you still
> need good security practices in place.
>
> Regards Chad.
>
>
>
> --
> Chad Kelly
> Manager
> CPK Web Services
> web www.cpkws.com.au
> phone 03 5273 0246
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170301/acc12b5f/attachment.html>

More information about the AusNOG mailing list