Comments on: Govt may force data breach disclosure

By: Tinman_au

Tinman_au — Fri, 19 Oct 2012 05:55:16 +0000

I don’t want to know about every breach/intrusion they may have (say for a DDoS or defacing a web site), but I sure as heck want to know about it if they think they may have accessed my data!

By: Stephen H

Stephen H — Fri, 19 Oct 2012 05:26:58 +0000

If you are required to report every security breach you detect, then is that encouraging companies to wind back on their detection activity? If they don’t know about it, they can’t report it – but that doesn’t make the breach any less serious.

I like the idea of mandatory reporting, but you need to be careful about the behaviour you might encourage.

By: CW

CW — Fri, 19 Oct 2012 05:13:31 +0000

I think this is a good idea, it will force businesses to reconsider what data they record as there will be liability associated with it. Why store non essential data if you have to deal with the consequences of its exfiltration?

By: seven_tech

seven_tech — Fri, 19 Oct 2012 00:46:43 +0000

Interesting counterpoint to the Data Retention proposals. Although, IF the data retention were to go ahead, this would go hand in hand as RSP’s would be required to disclose breaches to the data.

I think the issue of hacking needs to be made more mainstream so companies get on top of it. Too many simply knee-jerk when something happens and otherwise let security lapse regularly. Sure, it might be scary to know how many are being hacked first off…..but I’m sure they’d fix it if it was in the media every 2 weeks….

By: Simon Reidy

Simon Reidy — Fri, 19 Oct 2012 00:39:52 +0000

I have no problem with this plan at all. I think it’s a sensible idea. Consumers should have the right to know if their data has been potentially exposed. We all know companies will never do the right thing here, so forcing their hand is in the public interest.

Not every security idea or internet regulation suggested by the Governement is automatically a bad thing. This one sounds like it would a.) force companies into being as secure and responsible with our data as possible (no one wants the bad publicity from a data breach) and b.) protect the interests of the consumer online, so if there is a breach, people have the opportunity to quickly change passwords for other accounts (if like most people they are silly enough to use shared passwords for multiple accounts) and be aware of what exactly has been exposed and when.

By: Myke

Myke — Thu, 18 Oct 2012 22:38:35 +0000

+1. (s/security field/field/g)

By: Peter Kelley

Peter Kelley — Thu, 18 Oct 2012 22:22:26 +0000

Does anyone else see the juxtaposition here between data breach disclosure and retaining internet history? On the one hand the AG is trying to protect consumers privacy by providing better disclosure of breaches and holding data custodians to account and on the other hand legislating for organisations with a variety of security competence to store a treasure trove of personal information.

Surely these initiatives are going in different directions?

By: Renai LeMay

Renai LeMay — Thu, 18 Oct 2012 08:22:32 +0000

link away! I often do :)

By: Tom

Tom — Thu, 18 Oct 2012 08:14:49 +0000

As someone who works in the IT security field, personally I find this an appropriate step forward. The problem is that in general, organisations take a very reactive approach to security and this is NOT the way it should be.

Yes, initially this may cause many occurrences to be released to the media, however the embarrassment and the degrade in trust may actually force organisations, in general, to take an active stance on security. I do not believe the current mindset is the right one in an age where breaches occur far more frequently than is ever mentioned.

Taking the IT security hat off – as a citizen, I want to know what is breached so that I know if I have information in that place that I should change my details. This may even mean that organisations are going to be less likely to ask for more personal information – they simply won’t want to take the risk on board.

Lastly in regards to the government, I do not necessarily agree that government agencies should be exempt entirely – perhaps are delayed response after a fix has been applied. I can understand why the government don’t want to be able to disclose breaches – it erodes the trust in government (note: not just for this current government, but for all future governments). Also if they are forced to disclose a breach prior to getting a fix, this will just raise red flags as a vulnerable source of information.

By: Tony Healy

Tony Healy — Thu, 18 Oct 2012 08:02:45 +0000

Renai, if organisations lack the expertise to safeguard sensitive information that customers give them, they should not be soliciting that information. Full stop.

On a professional level, disclosure laws will force organisations to investigate and hire good expertise. Win win.

By: Martin Eddy

Martin Eddy — Thu, 18 Oct 2012 07:40:26 +0000

Which is BS. Governments should not be exempt from these laws. They’re more likely to have breaches IMO.

By: Martin Eddy

Martin Eddy — Thu, 18 Oct 2012 07:39:00 +0000

I’m with Daniel.

The point of these types of laws is to make companies that have our information do more to protect it.
It may well be scary to find out how often our privacy is breached but I’d rather find out who’s not looking after MY PRIVATE INFORMATION than stick my head in the sand.

By: Joakal

Joakal — Thu, 18 Oct 2012 07:33:34 +0000

The paper mentions law enforcement activities should be exempt.

Another source (I hope you don’t mind competition, Renai!): http://www.itnews.com.au/News/319484,roxon-raises-mandatory-data-breach-laws.aspx

By: Soth

Soth — Thu, 18 Oct 2012 06:52:23 +0000

Does this include the Australian Government?

By: Daniel

Daniel — Thu, 18 Oct 2012 06:41:34 +0000

I disagree Renai,

All breaches should be revealed, simply because one breach can lead to a big one.

Especially if it’s from the same Data Center.