Sign in / up

back to article Data breach notification law finally makes it to Australia's Parliament

Australia's long-awaited and long-delayed data breach notification laws are back on the political agenda, after the nation's House of Representatives passing the legislation yesterday. The bill now before Australia's Senate is the rather limp document that landed in October 2016. Companies will have the chance to keep mum …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Adam 1

    The difficulty I see is that even a minor breach can have associated consequences.

    Consider for example a sporting club with an online portal for court bookings or classes etc. There is nothing confidential in there, it's all printed out on the noticeboard anyhow. But their server remained unpatched for years as they can't afford an IT BOFH and now their mysql backup files are popped.

    OK, so nothing confidential had been exposed, and the passwords are all at least hashed, even though it is unsalted md5 (which we knew not to use even 10 years ago *cough* Yahoo! *cough*) but by my reading this would definitely be a minor breach.

    The problem?

    * Any common md5 password can literally be cracked by googling the hash. Or hashcat will find it very quickly if less than 8 characters.

    * Most people use the same password for multiple services.

    So now someone has their email account popped and from there password resets on other services.

    0 0 Reply
    1. RudderLessIT
      Reply Icon

      The difficulty I see is that even a minor breach can have 'any number of unknown consequences'.

      So the executive can review a list of possible consequences and choose the least impact as the indicator on whether or not to report it - and it's all legit!

      0 0 Reply
      1. veti Silver badge
        Reply Icon

        Well, no. The test is:

        the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;

        Note, any of the individuals - which means you have to consider the worst case, not the best.

        Of course it's incredibly vague and clearly designed to enrich lawyers. But what else is new.

        0 0 Reply
  2. Chet Mannly

    Surely the type of data should be the determinant rather than the form?

    I mean if someone accidentally attaches an innocuous letter sent to me that's minor, but if the attachment is my complete medical history not so much...

    0 0 Reply
  3. RudderLessIT

    So Crypto locker is OK?

    We experienced an attack and I can hand on heart say that not a 1 or a 0 left the organisation.

    So that not a breach?

    If I then choose to pay the criminals for the (possibly working) key, then no harm, no report?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like