Commonwealth Bank enters into an enforceable undertaking with the Australian Information Commissioner. A weak and ineffective regulatory response to serious data breaches.

July 2, 2019

On 27 June the relatively new Information Commissioner signed off on an enforceable undertaking with the Commonwealth Australia Bank arising out of 2 data breaches, the first involving the loss of 2 magnetic data tape containing what the Information Commissioner customer statements relating to 20 million customers in 2016.  The CBA was not able to work out whether the records were destroyed or something else came of them.  The second breach arose in August 2018 with sensitive information being available to those who were not able to access that material. This enforceable undertaking was entered into with the CBA already the subject of a very critical APRA report on the CBA’s risk management and reactive approach to compliance.  The CBA entered into a enforceable undertaking from the CBA in early May 2018.  And yet the CBA was involved in a second data breach 3 months later, in August 2018.  What does that say about CBA’s commitment to risk management?

There is a contrast in styles between the Information Commissioner’s media release and that of the Bank.

The Commissioner’s media release reads Read the rest of this entry »

Jeremy Lee v Superior Wood Pty Ltd[2019] FWCFB 2946; Full Bench of the Fair Work Commission considering breach of the Privacy Act, biometric data, unfair dismissal

July 1, 2019

The Full Bench of the Fair Work Commission recently handed down a very important decision in Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 regarding the application of the Privacy Act. The Full Bench undertook a careful analysis of the Act and applied the Australian Privacy Principles (the APPs) to the facts in the context of an unfair dismissal claim, in this case appeal from a Commissioner at first instance.

The Facts

Superior Wood operates two sawmills at Melawondi and Imbil [2] in Queensland. It had approximately 150 employees, 80 of whom, including Lee,working at the Imbil site. Lee was employed as a casual general hand and worked for  3 ¼ years. Superior Wood is Read the rest of this entry »

Tim Cook’s Commencement address at Stanford puts privacy front and centre of the current technology debate

June 24, 2019

Amongst the big 4 tech giants in their own given areas, Microsoft, Google, Facebook and Apple, Apple has made the strongest public stand on protecting its users privacy.  It too a stand as a civil rights issue in protecting privacy when in in 2016 when it refused to assist the FBI in in cracking a password on an iphone owned by a terrorist.  That included fighting the FBI in the Federal Court.

Facebook’s recent pivot to a privacy friendly future with the statement A Privacy-Focused Vision for Social Networking in March has been treated with some scepticism when the Guardian recently reported that Zuckerberg knew of poor privacy practices associated with the Cambridge Analytica scandal.  The evidence, emails uncovered by the Federal Trade Commission in its investigation as to whether Facebook has breached a 20 year consent decree, which it almost certainly has.  Facebook has reportedly set aside $3 billion in anticipation of a record fine from the FTC though the figure could be as high as $5 billion.  Today Facebook through Read the rest of this entry »

Australian Catholic University suffers a data breach…another university gets hacked

June 17, 2019

Earlier this month the Australian National University suffered a data breach, see my post here.  Now the Fairfax press reports in Australian Catholic University staff details stolen in fresh data breach that the Australian Catholic University has suffered a data breach where personal information has been stolen.  The hackers Read the rest of this entry »

Radiohead makes the best of a bad situation and releases stolen session recording before the hackers/thieves do.

June 12, 2019

Recordings of outtakes and studio sessions from Radio Heads OK Computer album have been released by Radio Head to thwart the thieves or hackers who obtained a copy held by band member Thom Yorke.  The villains wanted a ransom or they would be released according to the Fairfax Press in ‘Hacked the hackers’: Radiohead releases 18 hours of ‘stolen’ OK Computer sessions.  So Radio Head rendered the threat meaningless and released the material.  The release is not free, costing 18 pounds so is not an altruistic gesture.  The next turn is the villain’s, does he (it is usually a he) or they release the material for free, thereby reducing Radio Head’s revenue.  It wouldn’t completely Read the rest of this entry »

Hack attack on Westpac PayID exposes data of 100,000

June 4, 2019

Financial institutions and health care facilities are by far and away the most attractive and attacked sites for hackers.  Accessing personal information to permit access and transfer of funds from financial institutions are an obvious attraction.  Health facilities as a matter of course collect names, addresses, dates of birth, insurance information, government identifiers and often times credit card information.  That accumulation of data in one place, which depressingly is what health facilities usually do, permits a hacker to sell that information on the dark web or embark on identify theft himself (most hackers, based on evidence to date, being male).

Westpac has suffered a data breach as reported in Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID.  The aim and partial success was to access personal information to later use to commit acts of fraud.

There are three interesting aspects to the story.  The first is that details of the attack became public only because someone close to or in Westpac, NPP or both posted details as an item of interest on Whirlpool.  The Second is that the attack highlightgs the vulnerability of apps and other services designed for quick and easy use of banking facilities.  There is often a trade off, at least in the developers mindset, of ease of use and protection from hacking.  Apps are often weak links in data security.  The third issue is Read the rest of this entry »

A spate of leaks (read data breaches) from Governments

May 29, 2019

Leaks from government are as old as government itself.  Leaks serve a myriad of purposes; forshadowing a decision, undermining opponents or their plans, acting as a stalking horse to gauge public opinion and being a straw man that can be be used to kill off a measure that is uncomfortably close to being announced, just to mention a few.  Leaking of plans, discussions, decisions made or not made and strategies is rarely seen as edifying, and often treated as something a little icky but it is universally seen as a legitimate tool in the black bag of political tricks. It is also often times quite effective, killing off proposals and sometimes political careers. Leaking personal information is something else however. Which is why yesterday’s story about the leak of motorists details being linked to a New South Wales Minister’s office is so serious.  The leak was of a spreadsheet containing the personal information of hundreds of motorists which found its way into the hands of a journalist. The genesis of the breach is Read the rest of this entry »

Information Commissioner finds that she has no jurisdiction regarding complaints of interference with privacy against Tim Wilson and ‘’ website

April 10, 2019

The Information Commissioner announced, on 8 April 2019, that she does not the power to investigate a complaint about a breach of the Privacy Act by Tim Wilson or Wilson Asset Management (International) Pty Ltd in relation to the collection and use of personal information through the ‘’ website.’  The website and the collection of data caused some controversy.  In Tim Wilson’s ‘retirement tax’ website doesn’t have a privacy policy. So how is he using the data? Andre Oboler in a traditional academic “on – the – one – hand – and – on – the – other” analysis raised the complications of determining whether a Parliamentarian operating a web site falls within the political exemption provisions of the Privacy Act of is covered by parliamentary privilege, by virtue of his work as a chair of the standing committee on Economics, either of which would deny the Commissioner jurisdiction. The other coverage, such as Liberal MP Tim Wilson faces ‘breach of privacy’ claims and Labor pushes to refer Tim Wilson to privileges committee is more red blooded political reporting.

Mr Oboler was prescient Read the rest of this entry »

Facebook data breach affects 110,000 Australians personal information

April 1, 2019

Facebook has a tendency to advocate vague improvements to its privacy policies and call for improved and stronger regulation after some or other egregious privacy breach or oppressive monopolistic act is uncovered.  In the last year Facebook has been battered by the Cambridge Analytica scandal, clear evidence of its platform being used by foreign players to influence elections and a seemingly regular stream of less dramatic but no less worrying privacy breaches.  Facebook’s standard response to such problems has been a combination of virtue signalling and getting on board the reform wagon so as to moderate its outcomes. In early March Zuckerberg described the move to private messaging as being his “pivot to privacy” in communications.  After the briefest of analyses it was ridiculed and seen to be more about presentation than product according to the Wire’s Facebook’s Pivot to Privacy Is Missing Something Crucial and Forbes’ Facebook’s Fake Pivot To Privacy and Slate’s Facebook’s Awkward Pivot to Privacy.

Mark Zuckerberg’s reported very recent call for “more active” role for government regulation in internet privacy and election laws has a similar feel about a polished response to criticism. Except that the complaints are long lasting and the potential of real action by governments is real. The last edition of the Economist highlighted the steps being taken by the Europeans, a huge market, against Facebook and Google, amongst others, for their privacy unfriendly practices.   And those steps are not confined to Europe.  American legislators are, for the fourth time, considering more comprehensive privacy laws or trust busting action.

So while there is reason to be sceptical about Facebook’s motives the pressure on Facebook and Google is such that there may be actual improvement.

And there should be given the impact of the privacy breaches in Australia with Read the rest of this entry »

A’la Carte Homes Pty Ltd v AAPD CO P/L [2019] VSC 108 (5 March 2019): application to set aside, section 459J Corporations Act

March 13, 2019

In A’la Carte Homes Pty Ltd v AAPD CO P/L [2019] VSC 108 the Supreme Court, per Randall AsJ, set aside a statutory demand. The key issue was the failure of the assignment of a debt being described in the statutory demand or accompanying affidavit.


The application was made under ss 459G, 459H and 459J of the Corporations Act 2001 (Cth). The orders sought were Read the rest of this entry »