The Acting Privacy Commissioner, Angelene Falk, recently gave a speech titled Privacy in Digital Media and Digital Advertising.

It is a speech very much in the vein of the previous Privacy Commissioner, completely unobjectionable, very reasonable, topical and accurate.  It hit the current affairs notes, commenting on Facebook/Cambridge Analytica and the topical regulatory change, the upcoming implemention of the GDPR in Europe.  It also is completely neutral about what the regulator expects in concrete terms and what it may do in “fostering a privacy culture…”  And that does not bode all that well for a change in direction for one of the least effective regulators at the Commonwealth level.  Bromides and exhortations to comply with the law are fine but never as effective as strategic and forceful enforcement which will send a message to the market.

The speech relevantly Read the rest of this entry »

In August 2017 Uber entered into a consent agreement with the US Federal Trade Commission (FTC) arising out of a data breach in May 2014 which revealed Uber’s unreasonable security practices.  I did a post on this settlement in August here. Settlements with the FTC can be onerous, unlike the limp enforceable undertakings in Australia, but better than being the subject of litigation.  Unfortunately Uber knew in 2016 that it had suffered a data breach in 2016 from lax security associated with third party cloud services, while the FTC was investigating the 2014 breach, but did not disclose it to the FTC.  In fact it deliberately covered it up and attempted to pay off the hackers (see my post in November 2017). A classic case of the cover up causing more problems than the breach for the organisation.

The FTC described it Read the rest of this entry »

The Victorian Court of Appeal in Harstedt Pty Ltd v Tomanek [2018] VSCA 84 considered the operation of the second limb of Barnes v Addy and, in particular the requirement to establish knowing assistance.

FACTS

The genesis of the action and appeal was a failed investment scheme known as a private placement program. Investors were promised profits which were to be generated by the investment of capital by a humanitarian organisation [1].

The director of Harstedt, Jeffrey Olsen, had been a stockbroker for about 15 years. In late 2006, he was approached by Noel Carter who said that he had an investment proposal. The investment was described as a ‘private placement program’ for a not-for-profit humanitarian organisation called the ‘Isaiah 61 Foundation’ which would use investors’ capital to make substantial profits under an agreement [4].  Olsen was initially not interested as it offered no capital protection .

At a conference at Carter’s office on 3 March 2007,  Olsen met Stephen Moriarty (“Moriaty”). To meet Olsen’s concerns about capital protection Moriarty  said that funds contributed by Australian investors would stay in Australia in a ‘non-depleting’ account and that the funds would not Read the rest of this entry »

The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme.  If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches Read the rest of this entry »