Forgot your password?
typodupeerror
Australia Security Your Rights Online

Australia's Mandatory Data Breach Notification Bill Revealed 40

Posted by samzenpus
from the just-so-you-know dept.
mask.of.sanity writes "Australia's plans for a data breach notification scheme have been revealed which will force organizations to report serious breaches to affected victims. The plans, which are still in a draft form, show that the country's privacy commissioner could force businesses to inform press if the breaches are bad enough, pursue fines of up to $1.7 million for organizations that are repeatedly breached and force businesses to adopt stronger security controls."
This discussion has been archived. No new comments can be posted.

Australia's Mandatory Data Breach Notification Bill Revealed

Comments Filter:
  • Good plan. (Score:5, Insightful)

    by Mitreya (579078) <mitreyaNO@SPAMgmail.com> on Wednesday May 01, 2013 @07:35PM (#43605299)
    I know I am restating the obvious, but I find it interesting how no one is ever responsible for the security breach...
    Just got a note from LivingSocial -- they inform me of the fact and tell me to reset my password. Almost like this is a force of nature event and not a screw up on their part for having been breached. Perhaps at least repeat offenders should be held responsible?
    • by c0lo (1497653)

      I know I am restating the obvious, but I find it interesting how no one is ever responsible for the security breach...

      Once the lack of adequate security will start hurting enough the operators of the breach-able system, they'll start acting very responsible (and responsive) instead of sweeping the dust under the carpet.

      "Anti-hacking" laws are cost externalization, as they allow the operators to relax on the security side, on the expense of tax-payers (who pay for the policing, investigations, suits and possibly the sustenance of an offender in jail). Mind you, as a tax payer, you get to pay those cost even if you aren't u

    • From the summary "...pursue fines of up to $1.7 million for organizations that are repeatedly breached...", this act covers that eventuality.
  • by Zaelath (2588189) on Wednesday May 01, 2013 @07:35PM (#43605301)

    I know summaries are meant to be hyperbolic, but given you only have to take "reasonable steps" to secure customer data, there's not going to be too many $1.7 million repeat-offender fines meted out.

    • by Mitreya (579078)

      given you only have to take "reasonable steps" to secure customer data, there's not going to be too many $1.7 million repeat-offender fines meted out.

      You also need higher penalties for not reporting the breach.

      Or Australians will simply never hear about any data losses ever again...

      • given you only have to take "reasonable steps" to secure customer data, there's not going to be too many $1.7 million repeat-offender fines meted out.

        You also need higher penalties for not reporting the breach.

        Or Australians will simply never hear about any data losses ever again...

        The point of the law is to shutdown the "notified of security flaw, did nothing" issue which shows up on /. repeatedly often in relation to things like banks.

        You notify the company, if they do nothing you notify the government, who in turn now have the power to fine the company if they get breached. Cue companies actually reacting to security-flaw notifications rather then ignoring them till something happens.

    • by AHuxley (892839)
      Just thinking about very basic random issues in Australia:
      I would expect a person in charge to be listed, a 24/7 contact on call, a person with the task to look after data given the size of the fines.
      Some attempt to understand version drift, major exploits by staff and shown to be mapped out/some attempt to be blocked.
      Upgrading to or using some "good" password-based key derivation function.
      Making sure any common MS infection in ~admin staff areas does not get to move data out in bulk.
      Making sure data c
  • by icebike (68054) on Wednesday May 01, 2013 @07:36PM (#43605309)

    The most surprising thing is that Australia has a Privacy Commissioner.
    From what I read in the press that is the exact opposite of what I would expect from that government.

    • by Bremic (2703997)

      This is especially true as the current version of the tax software that pretty much everyone has to use to submit their End of Financial Year tax data only works with Internet Explorer, and has troubles with IE 8+.

      As I don't have a machine capable of running IE 6-8 I spoke to an accountant, who told me they collect the data and submit it using IE 7.

      I looked, and it is all submitted using http (not https), so there is absolutely no concern about even the minimum amount of security on peoples TAX data. This i

    • by chihowa (366380)

      The most surprising thing is that Australia has a Privacy Commissioner.
      From what I read in the press that is the exact opposite of what I would expect from that government.

      Maybe it's like the Drug Czar in the US. I used to think that job sounded awesome when I was a teenager.

    • by Anonymous Coward

      I know Slashdot has mentioned Australia's proposed internet filter, proposed legal snooping of all telecommunications, etc... Every government has people who suggest stupid things. They don't actually get implemented, and Australia isn't actually an Orwellian dictatorship or anything.

      • by sd4f (1891894)
        It's a bread and circus er ship, whatever you call that. We have some world leading corrupt parliamentarians.
    • by NoMaster (142776)

      From what I read in the press ...

      Well there's your problem right there...

  • by OhANameWhatName (2688401) on Wednesday May 01, 2013 @07:41PM (#43605347)

    It appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered

    Australian privacy regulations are a total joke. The privacy commissioner is a bureaucrat with no power. Businesses take, steal, trade, share, sell and harvest personal details willy nilly and there's no oversight or punishment whatsoever. How do they accomplish this? They set up shell companies which they use to harvest, trade and purchase personal data then shut down the companies after they've 'purchased' the data from them. "No Mr privacy commissioner, it wasn't us. It was company ABC which unfortunately .. is now a defunct corporation so there's no way to know how they got those private details. But before they closed up business in the floor below us, they assured us that everything was perfectly legal. Honest to goodness sir, there's simply nothing we can do!"

    Privacy isn't even a remotely important priority. Anything that's raised as a bill is going to be full of loopholes like swiss cheese, because the political representatives in Australia include people with (how shall I put this gently) .. 'ties' to large marketing companies. Banks track purchases for the police (with no oversite or warrant), personal details are sold straight out of ATO records, supermarkets track every single purchase a person makes throughout their lives trading this to whomever they consider a 'business partner' and the consumer (if they manage to discover a company has their details) doesn't even have the right to have those details removed from the company's database.

    BTW .. the content in this post is not assumption or guess work, I've personally experienced everything listed here.

  • by Trepidity (597) <delirium-slashdot@@@hackish...org> on Wednesday May 01, 2013 @08:03PM (#43605443)

    I'm not sure what black-magic software companies and webservice providers incanted to manage to exempt themselves from traditional product-liability law. If you sell a widget and your design was shit in a way that causes monetary damages, traditionally you are liable. If you sell a widget and your design sucks so bad that it doesn't even work (even without causing real damages), then people are at least entitled to a refund. But software somehow avoids this: your design can be buggy as hell and somehow you are not liable for shipping a shit product that didn't fulfill its advertised purpose and may have actually actively harmed people.

    This bill seems to just take one small step towards restoring some minimal degree of responsibility for your product.

    • Most issues with software are PEBKAC; that's why. There's a reason that checklists in tech support take care of 80% of calls.
      • by Trepidity (597)

        Even accounting for that, though, software providers get away with providing stuff that really is catastrophically buggy, without incurring liability, on the basis of some shrinkwrap EULAs that wouldn't fly in any other field.

      • by Anonymous Coward

        Most issues with software are PEBKAC; that's why. There's a reason that checklists in tech support take care of 80% of calls.

        No, PEBKAC is usually an excuse mediocre programmers use to cover up their own inadequacies. A checklist is a way of covering common problems. Why is that problem common?

        Software is a tool that is supposedly designed for users and if the target audience are unable to use that tool quickly and efficiently with a minimum of fuss then it's the fault of the tool designer and nobody els

No user-servicable parts inside. Refer to qualified service personnel.

Working...