back to article Australia's new data breach disclosure laws have a rather floppy definition of 'breach'

After years of discussion a draft of Australia's proposed data breach disclosure laws has landed and, to The Register's mind, it leaves a lot of wriggle room for those who would keep breaches secret. The draft Privacy Amendment (Notifiable Data Breaches) Bill 2016 (PDF) doesn't make it compulsory to report a breach. “It would …

  1. David Knapman

    So, the solution to "notification fatigue" is to water down the reporting requirements, rather than, say, encourage better security practices to lessen the number of breaches?

    Well, that makes sense.

  2. Andrew Commons

    Being distressed is not sufficient.

    "Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm."

    Consider a series of breaches where each one releases some information about an individual, none of these are considered serious enough to report in isolation but taken together they provide enough information to create the risk of 'serious harm'.

    They all need to be reported.

    The concept of 'notification fatigue' also seems to imply that a large number of breaches are expected to be taking place which increases the aggregate risk issue.

  3. Adam 1

    I read/watched/heard recently about a particular data breach. The vendor had in between the time the breach occurred and the time they discovered it changed something about how they stored the passwords, so they judged it unnecessary to inform anyone who had a new structured password. On one level it makes perfect sense as "someone has just stolen your old password you don't use anymore" doesn't sound like a big issue. Of course it means that anyone using the same password for their e-mail or other services is waiting to be pwned. I would name names if I could remember. So in short, yes, self appraisal of the seriousness of a breach (particularly from companies who don't deal in security day in and day out) is rather problematic.

  4. M7S

    Notofication fatigue

    Perhaps if it were explained to the lawmakers that this is analogous to suggesting that in the real world the police should not record instances of assault in order to concentrate on murders, they might reconsider. Particularly once it any evidence that emboldening the perpetrators of the former offence could lead them to go on to commit the latter....

  5. Anonymous Coward
    Anonymous Coward

    Change the law to make us owners of our data

    This law still thinks that our data, data that is or describes the individual or their actions is generated by an individual, is not owned by the person generating the data.

    Change the law to make it clear our data, an individuals data is forever owned by the individual and that theft and abuses of that data will be enforced and punishable by fines and imprisonment.

    Then we can talk about the details.

  6. JJKing
    Facepalm

    Clayton's anyone?

    Ah yes, the Clayton's Breach. It's the breach your having when you not having a breach. Damn, I can hear Jack Thompson's voice even as I typed that.

  7. Anonymous Coward
    Anonymous Coward

    Oh, the apathy...

    We get what we fight for...or not as the responses here seem to indicate.

    Is there really this lack of interest in critical cyber security governance in this (AUS) country.

    The fact that there I no discussion in this usually fertile forum is very discouraging, in fact frightening..

  8. kmb3390

    The severity of impact of a breach cannot be determined by the breached....

    Once again it appears that our elected representatives are going to miss the point when it comes to technology issues. Surely it is not possible for an entity that has suffered a breach to be able to fully determine what the impact of that breach will be on the people whose data has been compromised, as they won't necessarily be fully cognizant of all the implications for their "customers". Only the customers themselves are able to make the determination, and so must be told. There is no room here for concern about "notification fatigue" that may be suffered by the entity that is breached. The only thing that matters is that information on all breaches be made available so that users can determine for themselves whether or not they have been impacted.....

  9. Colin Tree

    John 3:19-21

    ....... and people loved the darkness rather than the light because their works were evil. For everyone who does wicked things hates the light and does not come to the light, lest his works should be exposed. But whoever does what is true comes to the light, so that it may be clearly seen .........

    deceitful pricks

    transparency is the best medicine

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like