[AusNOG] Mandatory data breach notification will become, law in Australia

Mister Pink misterpink at gmail.com
Wed Mar 1 16:08:43 EST 2017


Lol - it seems that my earlier rant might have indirectly invalidated my
own argument, the following statement may no longer be accurate!

*>"ISP's are amongst the most poorly represented."*

On 1 March 2017 at 10:59, Mister Pink <misterpink at gmail.com> wrote:

> Here Here..
>
> I'm watching the commentary on this thread with interest.  As a security
> guy I have been looking at this data breach legislation for a while, and
> was active in the submission phase etc.   Too much legislation and it ends
> up like California, where everyone gets 3 notices a week, and they end up
> meaning nothing, too little and large companies continue to be complacent
> about security and privacy, and sweep these breaches under the carpet with
> impunity.
>
> Is the legislation perfect? - No far from it, but it's a lot better better
> than nothing, and miles ahead of the initial drafts.
>
> Will it change anything for responsible companies?, No - the correct thing
> to do has always been to inform your customers as quickly as possible after
> you become aware of any breach with the potential to cause harm.
>
> The DR legislation means that an awful lot of the companies on this list
> are now retaining far more PII than ever before, and the implications of
> this are far reaching.
>
> If you hate the thought of having to notify customers when you get
> breached, then your best response is to put your effort (and perhaps some
> portion of your DRIP payments) towards securing your systems so that this
> is much less likely to occur.
>
> Having worked for ISP's prior to becoming a security consultant who now
> spends his time looking at the security posture of all types of
> organisations in all types of industries, I can tell you that in my
> experience the ISP industry is a long way behind where it should be in
> terms of security posture given the high concentrations of technically
> adept people at their disposal.
>
> Some of this is arrogance which leads to a reticence to seek assistance,
> some of this is to do with the competitive nature of the industry driving
> low margins, some of this is to do with scale, in that by it's nature,
> carrier networks require large public footprints, that result in large
> attack surfaces.
>
> By way of an example, We have a security collaboration portal
> <http://portal.securitycolony.com/> that is crammed full of useful
> resources that can assist organisations in improving their security posture
> through handling incident response. We even have videos telling you how
> best to handle a breach notification
> <https://blog.hivint.com/cybersecurity-incident-breach-disclosure-guide-9ef996caeaf5#.a57f7oz92>.
> Amongst all of the companies that are utilising this resource, ISP's are
> amongst the most poorly represented.
>
> Eric Pinkerton
> hivint.com
>
> On 28 February 2017 at 14:43, Chad Kelly <chad at cpkws.com.au> wrote:
>
>> On 2/28/2017 12:00 PM, ausnog-request at lists.ausnog.net wrote:
>>
>>> Im suggesting that more and more government regulation does but one
>>> thing push small guys out of the market.  It wont just be a reporting
>>> requirement but there will be forms reports. Reporting officers etc
>>> etc.  It's not the reporting requirement I have a problem with it's all
>>> the red tape that's going to go with it.
>>>
>>> The government needs to learn that 3million turnover  is not a large
>>> business.  Why can  these things not be decided on profit. There's a lot
>>> of small operators that collect 3 million and then turn over the bulk of
>>> that  AAPT/Telstra/Optus/Vocus .
>>>
>>> Yet the government treats them like AAPT/Telstra/Optus/Vocus
>>>
>>
>> Don't you remember what happened with Distribute IT?
>>
>> I wouldn't consider $3000000 turnover as a small business either, more of
>> a medium sized one, but you should be preventing these data breaches in the
>> first place and have policies on who can access what information within the
>> business.
>>
>> Depending on the size of  the business and the type of data that is being
>> collected you should also have written policies on what happens if a breach
>> occurs.
>>
>> You should also have appropriate levels of insurance to make sure you are
>> covered in case something happens.
>>
>> Also if you don't want to file reports yourself you have the option of
>> highering a personal assistant to take care of those tasks.
>>
>> I think its actually a good thing that the federal government is starting
>> to take IT security more seriously and that they are starting to crack down
>> on this stuff.
>>
>> Though writing reports still won't actually prevent breaches so you still
>> need good security practices in place.
>>
>> Regards Chad.
>>
>>
>>
>> --
>> Chad Kelly
>> Manager
>> CPK Web Services
>> web www.cpkws.com.au
>> phone 03 5273 0246
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170301/89805d81/attachment.html>


More information about the AusNOG mailing list