Australia's Mandatory Data Breach Notification Bill Revealed 40
mask.of.sanity writes "Australia's plans for a data breach notification scheme have been revealed which will force organizations to report serious breaches to affected victims. The plans, which are still in a draft form, show that the country's privacy commissioner could force businesses to inform press if the breaches are bad enough, pursue fines of up to $1.7 million for organizations that are repeatedly breached and force businesses to adopt stronger security controls."
Good plan. (Score:5, Insightful)
Just got a note from LivingSocial -- they inform me of the fact and tell me to reset my password. Almost like this is a force of nature event and not a screw up on their part for having been breached. Perhaps at least repeat offenders should be held responsible?
The most surprising thing (Score:5, Insightful)
The most surprising thing is that Australia has a Privacy Commissioner.
From what I read in the press that is the exact opposite of what I would expect from that government.
What a load of hooie (Score:5, Insightful)
It appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered
Australian privacy regulations are a total joke. The privacy commissioner is a bureaucrat with no power. Businesses take, steal, trade, share, sell and harvest personal details willy nilly and there's no oversight or punishment whatsoever. How do they accomplish this? They set up shell companies which they use to harvest, trade and purchase personal data then shut down the companies after they've 'purchased' the data from them. "No Mr privacy commissioner, it wasn't us. It was company ABC which unfortunately .. is now a defunct corporation so there's no way to know how they got those private details. But before they closed up business in the floor below us, they assured us that everything was perfectly legal. Honest to goodness sir, there's simply nothing we can do!"
.. 'ties' to large marketing companies. Banks track purchases for the police (with no oversite or warrant), personal details are sold straight out of ATO records, supermarkets track every single purchase a person makes throughout their lives trading this to whomever they consider a 'business partner' and the consumer (if they manage to discover a company has their details) doesn't even have the right to have those details removed from the company's database.
.. the content in this post is not assumption or guess work, I've personally experienced everything listed here.
Privacy isn't even a remotely important priority. Anything that's raised as a bill is going to be full of loopholes like swiss cheese, because the political representatives in Australia include people with (how shall I put this gently)
BTW
weird that this isn't already the case (Score:4, Insightful)
I'm not sure what black-magic software companies and webservice providers incanted to manage to exempt themselves from traditional product-liability law. If you sell a widget and your design was shit in a way that causes monetary damages, traditionally you are liable. If you sell a widget and your design sucks so bad that it doesn't even work (even without causing real damages), then people are at least entitled to a refund. But software somehow avoids this: your design can be buggy as hell and somehow you are not liable for shipping a shit product that didn't fulfill its advertised purpose and may have actually actively harmed people.
This bill seems to just take one small step towards restoring some minimal degree of responsibility for your product.
Re:Good plan. (Score:4, Insightful)
Imagine if you had the expectation of your secure documents being in a bank vault, with limited access, multiple keys, so that bank employees can't just access your goods etc is in place. Instead, you have a set of shoe boxes, stored in a garden shed with a screen door flapping in the breeze.
If a bank heist happens, and your documents are stolen, and the bank has done everything that they can do, then the breach should not be punished, if, however, a second heist occurs, and the bank has fallen for the same trap again, you would think that the bank should be held accountable, no?