Commonwealth bank data breach of 20 million accounts highlights that people regard privacy as important, the Information Commissioner is a lax regulator and that the threatened Government action shows that privacy laws and regulation in Australia are a complete mess

May 6, 2018

As is the way of it big data breaches there has been a ripple effect with the Commonwealth Bank’s data breach of losing track of records affecting 12 million customers and 20 million accounts.  The banks initial “not much to see here” explanation on its home page has morphed into a sort of acceptance, via comment to the media, that it should have come clean earlier.  Which is in and of itself a misrepresentation.  It never actually came clean with the public.  The breach was exposed and only then did it state that it had advised the Information Commissioner.  That is not coming clean. The CBA is now notifying affected customers.  Two years after the event.

The CBA’s explanation has been the rightly subject of criticism.  Typical of that criticism, and that of the regulators, is the Read the rest of this entry »

The UK Information Commissioner releases its Guide to the General Data Protection Regulation

The UK Information Commissioner’s Office (the ICO) produces excellent guides relating to UK and EU laws. They are much clearer, specific and, therefore, useful than the guidances produced by the Australian Information Commissioner.  Given the legislation and regulations in this area of the law is principles based having good guidances is critical.

The ICO has produces its Guide to the General Data Protection Regulation (GDPR).  A 171 page tome on all matters relating to compliance with the GDPR.  The GDPR is about to take effect in Europe, on 25 May 2018 to be precise.  It’s impact will range farther than the borders of the European Union.    Even Mark Zuckerberg in his much vaunted testimony to Congress in April said Facebook would, eventually, comply with the GDPR.

The GDPR differs from the Australian Privacy Principles.  It is much more comprehensive.  However that does not mean that they are not relevant for Australian practitioners.  Companies with a significant presence in the EU will need to be aware of the GDPR requirements.  At the local level Read the rest of this entry »

Another revenge porn story, this time involving an ex AFL footballer highlights the poor privacy law protections

May 4, 2018

Today’s story in the Age of a video footage of Dane Swan, former AFL player, being circulated on line highlights the total inadequacy of Australia’s privacy protections.  Governments have been keen to criminalise the acts of distributing intimate videos and pictures on line without the consent of the subject of those images but have been totally unwilling to give individuals a civil right to take action of their own volition for such breaches.  In short, it comes down to the police having to carry the load totally when an individual may wish to also exercise their right.  Governments have been virtue signallers at best. Yes criminalise the conduct but provide proper privacy protection through a statutory tort of invasion of privacy.

The problem with the half measure that exists is Read the rest of this entry »

A significant data breach by the Commonwealth Bank. The real question, what will be the consequences..

May 3, 2018

The Commonwealth Bank of Australia has suffered a major data breach involving the records of 20 million customers.  In 2016.  It has only made this public now after media reports.  The CBA only made a statement after the media reports.  That is a dreadful approach to data breaches.  Conceal until you can’t.  Then obfuscate.  The CBA is not an outlier in its reaction to this data breach.  Unfortunately it is all too common in Australia.  Perhaps that will change with the mandatory data breach notification scheme but proper enforcement is required.  Incredibly the Information Commissioner was notified in 2016.  And took no enforcement action.  No enforceable undertakings even.  That was, and remains, a dreadful mistake.  The Australian Prudential Regulation Authority that has been more active and transparent than the Information Commissioner’s Office in dealing with privacy breaches.  If that is not an indictment on the Information Commissioner Read the rest of this entry »

Data breach of a lawyers office that resulted in unauthorised access to client file results in a malpractice suit against the firm confirming that lawyers tend to be lousy when it comes to data security

May 2, 2018

Law firms are a key target of hackers.  That has been known for some time. Lawyers hold sensitive client information which has value to competitors and criminals.  They also hold personal information which can be used for identity theft.  Finally they control bank accounts that hold signfiicant sums, such as proceeds of sales and purchases, client money held in trust and payments made to the lawyers but not distributed.  Law firms are also key targets because they are generally inept at data security.

The consequences can be catastrophic as the closure of the Panamanian firm Mossack Fonseca on 15 March 2018 after the release of the Panama Papers. A leading offshore Bermuda based law firm, Appleby suffered a data breach in October last year. In April last year a Providence law firm was hit with a ransomware attack which resulted in lost billings of $700,000.  The American Bar Association noted that in 2015, approximately one quarter of all U.S. law firms with 100 or more lawyers had experienced a data breach through hacker or website attacks, break-ins, or lost or stolen computers or phones and 15 percent of all law firms overall, regardless of size, had reported an unauthorized intrusion into the firm’s computer files, up from 10 percent in 2012.  In a report last year LogicForce found that law firms were in the main woefully unprepared with Read the rest of this entry »

In the Matter of Innovateq Pty Ltd [2018] VSC 124 (24 April 2018): Corporations, bringing proceedings under s 237 Corporations Act, application to wind up company, section 461

Justice Kennedy in In the Matter of Innovateq Pty Ltd [2018] VSC 124 considered an application under section 237 of the Corporations Act for leave to commence proceedings in a derivative action.  Judgments regarding leave applications are relatively uncommon.


The proceeding involved two applications:

  • leave to the plaintiff pursuant to s 237 of the Corporations Act 2001 (Cth) (Act) to commence court proceedings in the name of Innovateq Pty Ltd (ACN 132 372 242) (Company) against Mr Daniel Phillips (a former employee) and two companies associated with him, Certeq Pty Ltd and Certeq NZ Pty Ltd (Certeq) (Leave Application); and
  • for an order that the Company be wound up (Winding Up Application).

The Company, in its capacity as trustee for the Read the rest of this entry »

Privacy Commissioner speech on Digital Media and Digital Advertising

April 17, 2018

The Acting Privacy Commissioner, Angelene Falk, recently gave a speech titled Privacy in Digital Media and Digital Advertising.

It is a speech very much in the vein of the previous Privacy Commissioner, completely unobjectionable, very reasonable, topical and accurate.  It hit the current affairs notes, commenting on Facebook/Cambridge Analytica and the topical regulatory change, the upcoming implemention of the GDPR in Europe.  It also is completely neutral about what the regulator expects in concrete terms and what it may do in “fostering a privacy culture…”  And that does not bode all that well for a change in direction for one of the least effective regulators at the Commonwealth level.  Bromides and exhortations to comply with the law are fine but never as effective as strategic and forceful enforcement which will send a message to the market.

The speech relevantly Read the rest of this entry »

FTC revisits consent agreement with Uber after discovering Uber concealed other data breaches

In August 2017 Uber entered into a consent agreement with the US Federal Trade Commission (FTC) arising out of a data breach in May 2014 which revealed Uber’s unreasonable security practices.  I did a post on this settlement in August here. Settlements with the FTC can be onerous, unlike the limp enforceable undertakings in Australia, but better than being the subject of litigation.  Unfortunately Uber knew in 2016 that it had suffered a data breach in 2016 from lax security associated with third party cloud services, while the FTC was investigating the 2014 breach, but did not disclose it to the FTC.  In fact it deliberately covered it up and attempted to pay off the hackers (see my post in November 2017). A classic case of the cover up causing more problems than the breach for the organisation.

The FTC described it Read the rest of this entry »

Harstedt Pty Ltd v Tomanek [2018] VSCA 84 (10 April 2018): Trustees and trust, accessorial liability, the second limb of Barnes v Addy, fraudulent breach of trust

April 15, 2018

The Victorian Court of Appeal in Harstedt Pty Ltd v Tomanek [2018] VSCA 84 considered the operation of the second limb of Barnes v Addy and, in particular the requirement to establish knowing assistance.


The genesis of the action and appeal was a failed investment scheme known as a private placement program. Investors were promised profits which were to be generated by the investment of capital by a humanitarian organisation [1].

The director of Harstedt, Jeffrey Olsen, had been a stockbroker for about 15 years. In late 2006, he was approached by Noel Carter who said that he had an investment proposal. The investment was described as a ‘private placement program’ for a not-for-profit humanitarian organisation called the ‘Isaiah 61 Foundation’ which would use investors’ capital to make substantial profits under an agreement [4].  Olsen was initially not interested as it offered no capital protection .

At a conference at Carter’s office on 3 March 2007,  Olsen met Stephen Moriarty (“Moriaty”). To meet Olsen’s concerns about capital protection Moriarty  said that funds contributed by Australian investors would stay in Australia in a ‘non-depleting’ account and that the funds would not Read the rest of this entry »

Early report on mandatory data breach notification laws – Australian Information Commissioner releases first quarterly report. Sixty three notified breaches in the first 6 weeks of the law’s operation

April 12, 2018

The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme.  If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches Read the rest of this entry »