Question

When reporting on the number of refusals, does this include Denial of Service (DoS) attacks e.g. where millions of requests come through and the system blocks it due to a security attack?

Answer

We expect data holders to report on refusals to disclose CDR data and the CDR rules or data standards relied on to refuse to disclose that CDR data (items 11-13 of the reporting form). This includes refusals where a 429 error code was relied upon in response to a potential denial of service (DoS) attack (items 11.3, 12.5 and 13.5 of the reporting form).

CDR participants are required to keep records of this information and may be required to provide copies of these records to the ACCC upon request. Under rule 2.5, a data holder may refuse to disclose required product data in response to a request in circumstances (if any) set out in the data standards.

An example of such circumstances in relation to product data includes when the number of requests the data holder is receiving is above their service level thresholds defined in the non-functional requirements section of the data standards.