Notifiable Data Breaches scheme

Discussion in 'Business & Enterprise Computing' started by Gunna, Feb 9, 2018.

  1. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
    So I had heard whispers of requirements of businesses to report data breaches but honestly hadn't heard much of it until someone on OCAU posted a link and the requirements to report breaches from Feb 22 on wards.

    Initially I didn't think this really applied to us but the more I thought of it, it may actually. With an increasing mobile workforce the information stored on laptops, iPads and phones could potentially fall under the listed data, the site only lists some types of data so could cover much more than I thought of.

    Managers keeping resumes(addresses and phone numbers), information on their team members performance, Managers\HR and finance discussing team members health and payroll information. As this new requirement also covers external or internal user gaining unauthorised access, unauthorised disclosure and Loss it opens the discussion to data loss prevention buth internally and externally, laptop hard drive encryption and policies in place to comply with the Privacy act requirements.

    Has anyone else looked into the requirements and what are you doing to comply? Am I the only one learning of this now?
     
    Last edited: Feb 9, 2018
  2. mr camouflage

    mr camouflage Member

    Joined:
    May 25, 2012
    Messages:
    1,109
    Location:
    Perth
  3. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,070
    Location:
    NSW
    We work in healthcare, so we have to take it seriously.

    Basically:

    Bitlocker for ALL company laptops (Was not even used before)
    Encrypted Mobile Phones (Phones had never been deployed here before)
    Pin/Password protected access to mobile Phone (Phones had never been deployed here before)
    Password protected access to our Mobile Health app on said company phones (App NOT allowed on non company phones)
    MDM For remote Wipe of lost gear
    Will be re-performing Dodgy simulated email requesting password change from Non company email address, last year had a i think 40% Fail rate)

    Will also when i get back from Holidays be performing first external Company Pen Test (And fixing issues they find, because your an idiot if you think there aren't issues to be found)

    WIll no doubt do more.
     
  4. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    A good idea, neutered by subjectivity...

    State and territory government agencies, as well as private sector entities not covered by the Privacy Act, may find the guide helpful in outlining good privacy practice. However, the OAIC would not have a role in receiving notifications about data breaches experienced by those entities, other than for ACT Government agencies.


    Now I'm sad.
     
  5. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,383
    Location:
    Canberra
    APP under the privacy act have already applied to:
     
  6. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,430
    Location:
    brisbane
    we had a vendor notify us of a breach last year through this scheme - so contact from the govt and the vendor, thankfully our policy is vendors get the bare minimum - not what they "want". So it was a non-event.
     
  7. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    What bit is subjective? Its pretty clear.

    Which is actually already required by the privacy laws.
     
  8. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Combined with

    So, the business who lost my information, gets to decide, if the loss of that information is likely to result in serious harm, which they can't do objectively, because they don't know my situation.

    Why can't they just make it "Have Leak = Notify"?
     
  9. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    They cant do it objectively because they are commercially against disclosing. However, who else practically would do it? Do you engage a Big4 to assess if you have a breach or not worthy of reporting?

    The use of the term 'reasonable person' is well used in law, and if as defined as you can expect for this purpose. The reason you dont notify all leaks is simple. Everyone will just stop paying attention to them, so the purpose of informing people to watch out/be careful pay special attention etc, will just be watered down to constant noise of 'we leaked your name, maybe'.

    There is some wiggle room sure, maybe too much, maybe not, but I would like to hear practical ways to remove it.
     
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Letting the fox manage the hen house is a terrible idea :), how about...

    Everything gets reported to the Privacy Commissioner (or some other independent, objective 3rd party, appropriately resourced).
    Privacy Commissioner makes determination of harm, and issues public disclosure requirements to company.

    ----

    Who is responsible for disclosure when 3rd party is the source of data?
    I opt in on Dominos.com.au because I want to win a TV
    Dominos pass my data on to some 3rd party advertiser in bumfuckistan who gets owned
    now I'm getting targeted spam, including my suburb (well, the suburb of my local dominos)....
     
  11. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    How about the Privacy Commissioner just dies under the flood of BS, and breach information takes months or years to be assessed and notified (or not)?
    Can you imagine the volume of every leaked record, or record that was exposed to the wrong person? it would be crippling.
     
  12. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    66,430
    Location:
    brisbane
    yeah if only there was some kind of aggregated source for that.

    https://haveibeenpwned.com/
     
  13. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,315
    Location:
    Canberra
    I went to the website and it said "yes."

    what do i do now?
     
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Hence my "appropriately resourced" caveat.

    If the TIO can survive the BS of complaints that get sent that way, and get to charge the Telcos for it, Fund the Privacy Commissioner from fees levied on breached businesses :).
     
  15. Tinian

    Tinian Member

    Joined:
    Jan 3, 2009
    Messages:
    19,875
    Location:
    15.0° N, 145.63° E
    That would seem too simple.
    Progress to the second step where you provide your passwords so they can see just how bad you've been pwned.
     
  16. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    Emailing someones record to the wrong email address is a breach.
    Faxing to the wrong phone number is a breach.
    Putting PII into the recycle bin and not the shredder is a breach.
    Searching for your ex-GF/BF without cause on a system is a breach.

    Then the Privacy commissioner needs to go out to the companies and ask them about it... so they are self investigating again, after the company has reported that in the first place. Except now you have an external body involved.
    The work effort to manage, assess, report every breach is just astronomical. Completely infeasible, impractical and really doesn't achieve anything positive. Unless 'appropriately' resourced means sending privacy agents out to every business to do independent investigations on every breach, not matter how big/small.

    I understand your concern, I think the current approach is open to abuse, but it needs to start somewhere, and not stifle business, and I think your solution isn't a solution, but another problem.

    The goal of the legislation to to find a happy ground between protecting peoples information, and allowing Australia to have a functional, efficient economy.
     
    elvis likes this.
  17. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Breach = Notify

    Something very similar to haveibeenpwned, linked above, might work.

    I want to know if someone e-mailed my records to someone they shouldn't, and I can make the determination of harm, and should have appropriate escalation routes.

    Systems need to be put in place to make reporting easy, and an assumption of guilt/liability needs to be removed from reporting.
     
  18. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    I'm saying that everyone reporting every Breach = Dead system.
    Can you imagine if the police actually policed every non-legal act? They couldn't so they focus on the bigger issue.
    The goal is not to empower individuals to chastise organisations and allow YOU to determine what is appropriate or not, its for all businesses to have a common understanding of what is needed/implications.
     
  19. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,070
    Location:
    NSW
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Healthcare Number 1 on the East Side
     

Share This Page

Advertisement: