Notifiable Data Breaches scheme

Discussion in 'Business & Enterprise Computing' started by Gunna, Feb 9, 2018.

  1. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,070
    Location:
    NSW
    Huh??
     
  2. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    Health Service Providers industry sector reported the most breaches.
     
  3. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,070
    Location:
    NSW
    Sorry i thought you were referring to a policy i could have a gander at to look at how to word our one.
     
  4. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    I'm late to the party in this thread, but yes, this has been a big chunk of my career to date. For decades now.

    No. Australian IT is largely shithouse when it comes to security and related concepts (including things like being aware of breaches, being aware of the impact of a breach, having a policy on what to do after a breach, and giving two shits about the sensitivity of the data they store).

    These laws came in Feb 22, and I know for a fact there are thousands (if not more) businesses that are at high risk right now, and have done fuck all about it.

    It's going to be a fun couple of years ahead for sleepy Aussie IT.

    The rules are the same everywhere, and are security 101: categorise your data, get the risky shit off edge devices.

    It's going to annoy the people who like keeping crap on their laptops/phones. But IMHO they either need to understand why they can't, or change jobs if they can't deal with it.
     
    Last edited: May 15, 2018
  5. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    269
    Location:
    ACT
    Most uni's and gov dept have theirs online you can look at. I've just started writing a few for some of our clients, it doesn't have to be a long or complicated policy like iso27000 for example.
     
  6. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    Not following legislation is a completely legitimate approach - assuming you have assessed the impacts.
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    Sure. My comment was more aligned to those that are "vulnerable but ignorant", which is guaranteed to be a large number.

    The "don't know what they don't know" crowd.
     
  8. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,538
    It worked for the Banks :).

    Is anyone worried that these schemes promote, or reward ignorance?
    If I have an IDS and do DLP, and notice data walking I have to report
    Solution: No IDS, no DSP = No Reporting = No Problem
     
  9. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    269
    Location:
    ACT
    I think most people here are over reaching on the impact of the scheme. It won't harden a network or change a security policy in 90% of work places. This scheme has nothing to do with security and will have no impact on it. It is merely for reporting unauthorised access or loss of PPI.

    It doesn't effect anyone having their IP stolen, nor does it matter if you are crypto lockered, neither require reporting.
     
  10. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    So OAIC is moving to 6 monthly reporting on NDB because they are not suitably resourced to keep up with quarterly reporting. I also note they haven't enforced penalties on anyone. So pointless undertaking thus far? Other than 'awareness'?
     
    Urbansprawl and NSanity like this.
  11. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    I'm ignorant to these things, but I would assume that it's a year of data/stats gathering before the hammer of justice comes crashing down, no?

    "Can't manage what you can't measure" kind of thing? Again, assumption on my behalf, but I'd assume there would be a grace period before things get tough. Or are we looking at this being toothless forever more?
     
  12. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,383
    Location:
    Canberra
    Toothless is a very real possibility, I get the softly softly first year/two mindset also, however most of the things reported from memory were really basic lapses with no real impact to citizens.
     
  13. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,218
    Location:
    Brisbane
    I'm assuming it'll be like everything else, where there has to be a truly terrible event where high profile folks either lose lots of money or die, and then it'll change.
     
  14. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,844
    Location:
    Brisbane
    Yup. Equifax, cambridge analytica and this have shown most people don't give a shit until it directly impacts them and even then the laws and fines certainly dont match the repercussions.

    https://www.engadget.com/2019/07/22/equifax-settlement-over-data-breach/

    Equifax got fined $4 per person. I think they have made much more than that over the years though.
     

Share This Page

Advertisement: