[LINK] [PRIVACY] Re: Super fund security breach lands good Samaritan in hot water

Richard Chirgwin rchirgwin at ozemail.com.au
Thu Oct 20 21:03:55 AEDT 2011


The Privacy Commissioner is unique in my journalistic experience.

When all else fails, a sufficient degree of unfair insult will 
eventually draw a call or e-mail from a furious PR. It's worked, for 
example, for Telstra all the way back to Frank Blount's day.

But not the Privacy Commissioner. I have called the office the "king of 
the wet slap", the "watch-puppy", and all manner of other derogatory 
epithets, and still not upset anybody in the office enough to try to 
correct the record. That leads me to speculate that the office knows 
just how toothless it is. Maybe it hopes that people like me will come 
up with something with enough sting to bring a political response!


On 20/10/11 8:44 PM, Roger Clarke wrote:
> At 18:30 +1100 20/10/11, Jan Whitaker wrote:
>> Super bad: First State set police on man who showed them how 770,000
> accounts could be ripped off
>> http://www.theage.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html
>> Claims First State Super flaw ignored for 'years'
>> Asher Moses
>> October 20, 2011 - 12:09PM
> It's great stuff.  Security people indulge in theatre all the time.
> They have to allow other people to play the melodrama game too.
> But here's the key messages about regulation:
>> The superannuation industry is regulated by the Australian
>> Prudential Regulation Authority.  ... APRA's oversight of the
>> industry extends to ensuring firms adequately manage IT risks.
>> [1] A spokesman for APRA said he could not comment on the matter
>> because ''a secrecy provision in the APRA Act prevents us from''
>> commenting on the institutions that it regulates.
> Not 'name and shame', but 'smother the bother'.
>> [2] A ''prudential practice guide'' on the management of security
>> risk in information technology by superannuation firms (PDF) is
>> published on APRA's website.
>> ''Controls, commensurate with the sensitivity and criticality of the
>> data/information involved, would normally be implemented where
>> sensitive data/information is at risk of leakage,'' the guidelines
>> around access controls state.
> Not requirements, not standards, not commitments, not anything really.
> The same old public servant waffle that pervades the Privacy Act and
> every other piece of pseudo-regulatory instrument in the country.

More information about the Link mailing list