back to article Oz privacy comish says breaches could double this year

The office of Australia's Federal Privacy Commissioner has received 60 voluntary data breach notifications in the six months since 12 March compared to 71 received in the 2014 financial year. The statistics provide to Vulture South and repeated at the Australian Information Security Association conference include all manner of …

  1. dan1980

    "Data breaches unfortunately appear to be an inevitable part of business in the information age and a data breach notification law could help businesses deal with this risk and respond to this breach."

    Yes! This is exactly the case - data breaches are inevitable, as I have said multiple times. But that doesn't mean there is nothing to do but accept it. If a shop-owner in a 'dodgy' neighborhood accepts that being robbed is possible and difficult to entirely prevent the he/she doesn't just shrug his shoulders and install some cameras. What that shop owner would - or should - do is to limit the amount of cash in the till and make sure that, if there is an onsite safe, employees can't open it.

    The first thing that needs to happen is a serious review of exactly what data is being kept.

    Take companies/services/websites that prompt you to enter your mother's maiden name. This should never be a requirement, except where it is necessary to establish some critical point of identity. Even then, the data should be kept in a separate 'identity verification' system and purged once it has been used to establish whatever it is. Thereafter the verification status is signified by a token that contains no useful information beyond the flag state.

    One of the reasons that there are so many breaches is that there is so much information to steal - companies have giant troves of customer data, all cross-referenced and ready to be put to use. If companies only kept the bare minimum then far, FAR less of our personal information would get out, first because if it did get out it wouldn't be that damaging but also it's just not worth stealing.

    Yes, it would mean that companies couldn't run their analytics engines to profile customers or on-sell this information for profit, but that is, essentially, what we are dealing with here: the play-off between the privacy of the customer and the value to the company of that information. In other words, them putting profit above privacy.

    The second thing that needs to happen is for a set of regulations to be drawn up governing how personal data is handled by companies that collect it. I mean proper technical regulations, such as the correct way to store particularly sensitive information including passwords and credit card details and secure database design to limit what can be access in the event a system is compromised.

    This is all, of course, a wild pipe dream but my point is that, once you accept that breaches WILL happen, the focus can then turn to making sure those breaches gain as little sensitive information as possible, not on simply telling people that it was stolen and, hey, whatareyougoingtodo? Sorry, that's the Internet, buddy!

    1. dhcp pump


      The irony of this new " governing body is that its all after the fact,after all the information is slurped!.

      Fines are required if they do not pass the regulatory standards and a A breach of standards

      is required, if there were any for private companies who don't fit into the existing standards framework,which is really thousands of AU businesses and websites.

      More emphasis is required in the pre-emptive policies of the infosec industry standards for AU and a Governance and Audit framework ( not SOX or COBIT -slight fail) for Australian Companies ,small and large who hold or present Internet data to the public.

      As with vehicle manufacturing and AU regulation safety standards a new Governing Standard is required for all Internet hardware imported or manufactured in AU,there is none at present.

      Imported routers as we know are riddled with issues ,even the best of them ( Cisco) but a look at all the others shows shellcode,dns and insecure wireless OOT Box along with other issues which pose a massive instant risk of data disclosure when powered on and a business network is connected.

      Specific standards ( regulations)are required in the AU place for all SQL and DB's that are Internet facing ,there should be a minimum standard NOW ,with bi-yearly reviews or testing executed as is done for high risk vehicles such as trains,buses,and the trucking industry.

      The DOD regulation standard should be a minimum regulation standard,with higher standards for data retention companies ,and those storing full profiles or information on persons ,such as the health Industry ,CPA's and the private company loan market.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like