The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 passed through the Senate on 30 March 2022.  This comes hot on the heels of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (NO. 124, 2021).  The genesis of the current legislation is the 99 page Advisory report on the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018 which was prepared by the Parliamentary Joint Committee on Intelligence and Security and tabled in September 2021.   

The USA has critical instructure legislation.  Most recently President Biden signed Strengthening American Cybersecurity Act of 2022.   Under that legislation critical infrastructure entities must report cyber attacks within 72 hours and report ransom payments within 24 hours. 

In short compass what does each Act do?

The Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth)  amended the Security of Critical Infrastructure Act 2018 (Cth). It increased the critical infrastructure assets from 4 to 11 sectors.  Now communications, data storage or processing, defence, energy, financial services and markets, food and grocery, health care and medical, higher education and research, space technology, transport, water and sewerage are included. Read the rest of this entry »

In a 5 – 0 decision the High Court allowed an appeal from the Victorian Supreme Court in Stubbings v Jams 2 Pty Ltd [2022] HCA 6 and the operation of certificates of independent advice and unconscionable conduct.  The lead judgment is that of Kiefel CJ, Keane and Gleeson with separate opinions by Gordon and Steward.

FACTS

The facts

The appellant owned two houses in Narre Warren, both mortgaged to Commonwealth Bank with weekley repayments of between $260 and $280 per week. The appellant did not live in either house.  He lived at rental premises at Boneo, where he worked repairing boats for the owner of the property [7].

The Appellant fell out with the owner,  ceased work and, needing to move house, sought to purchase another property on the Mornington Peninsua [7].

At the relevant time the appellant:

• was unemployed
• had no regular income
• had not filed tax returns in several years and
• was in arrears on rates payments in respect of the two Narre Warren properties [8]

After a home loan application to ANZ was rejected for lack of financial records, the appellant was introduced to Mr Zourkas [8] who described himself as a “consultant”, in the business of introducing potential borrowers to Ajzensztat Jeruzalski & Co (“AJ Lawyers”) [9]. The service AJ Lawyers provided to clients was to facilitate the making of secured loans by those clients [9].

The primary judge found that Zourkas played an “important and essential” role in these transactions, in that his involvement ensured that AJ Lawyers never dealt directly with the borrower or guarantor, such as the appellant [9]

When the appellant and Zourkas met on a number of occasions in 2015:

• at the first meeting, the appellant said that he “wanted to buy a little house” to live in, to which Mr Zourkas responded that “there would not be a problem going bigger and getting something with land”  O which resulted in the appellant finding a five?acre property with two houses on it in Fingal, available for $900,000.
• at another meeting, Zourkas told the appellant that he could borrow a sum sufficient to pay out the existing mortgages over the Narre Warren properties, purchase the Fingal property, and have approximately $53,000 remaining to go towards the first three months’ interest on the loan [10] .
•  Zourkas advised the appellant that he could then sell the Narre Warren properties, reducing the loan to approximately $400,000, which the appellant could then refinance with a bank at a lower interest rate [10]

The calculation was that:

• two Narre Warren properties and the Fingal property would secure the appellant’s obligations as guarantor
• the existing debt to Commonwealth Bank secured on the Narre Warren properties totalled approximately $240,000.
• on the basis that the two properties had a market value of $770,000, the appellant’s equity was thus worth about $530,000 [11].

On 30 June 2015, the appellant signed a contract to Read the rest of this entry »

What’s worse, the cover up or the crime?  The answer from the Watergate cover up was emphatically that the cover up was where the real ill lies.  For a lawyer a manageable legal problems becomes a much more serious one when a person or organisation hides evidence of an offence.  So CafePress discovered when the Federal Trade Commission (“FTC”) caught up with it for both data breaches as well as their cover up. 

CafePress failed to secure its clients sensitive information and then tried to cover up the data breach.  The first reports of CafePress being hacked in February 2019 was in August of that year with a number of reports including one by Forbes titled  CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?   The prescient question in that article was”why has it taken so long to find out about the CafePress breach? Good question. An equally good one might be “why have I heard about this breach from HIBP and not CafePress itself?” These are questions that have attracted the attention of the FTC with it seeking a $500,000 fine to redress loss to consumers resulting from the data breach.  As well the owners of CafePress will be required to enter into a 20 year order covering security programs and compliance monitoring.  That is standard practice for the FTC.

The FTC has set out in history and the outcome in its press release which Read the rest of this entry »

The Age has run another article on lack of privacy online, with Online privacy is a farce. Click here to agree.  It is an interesting and quite well written piece but nothing in it hasn’t been written before, sometimes more eloquently.  NBC did a piece with Online privacy fears are real last November. It is Read the rest of this entry »

After a false start the ABC is installing mandatory iview login requirements for its television services.  This has raised the hackles of privacy advocates.  In February the Conversation fired up with Mandatory logins for ABC iview could open an intimate window onto your life.   Most recently, as in earlier this week Malcolm Crompton, a former privacy commissioner, has claimed that this will stymie debate and free expression of ideas.  It has also attracted the ire in itwire with ABC appears to be hell-bent on compulsory iview logins and ABC is urged to ditch hated feature on its streaming platform iview – but the public broadcaster is adamant it WILL roll out this week.   Vanessa Teague has produced a very effective youtube video setting out the problems with data sharing (https://www.youtube.com/watch?v=20bqzIoB-Fw).   The problem is that while Vanessa’s post is very thoughtful and persuasive it has been read by 491 views as of today’s date.  It has been the subject of chatter amongst privacy advocates but not much more than that.  That makes it completely ineffective.  Innovation Australia in Last ditch call to stop ABC mandatory login highlights the problem, that a last ditch effort is usually a forlorn hope.  It provides:

Privacy and security experts have called on the ABC to halt its switch to mandatory user accounts at the eleventh hour, warning that the public broadcaster has failed to justify the increased risks of tracking users and sharing data with US tech giants.

Letters to ABC management from the Australian Privacy Foundation and a former privacy commissioner released this week call for the ABC to reconsider the decision, saying the purported benefits are not proportional to the risks they introduce, while a leading cybersecurity expert warned data is still being collected even though users opt-out of tracking.

The ABC intends to make the switch to mandatory user accounts for its iview video-on-demand service on Tuesday, claiming it will allow more personalisation features that it says users want, and that tracking audiences and their viewing habits is now commonplace. Read the rest of this entry »

It is interesting to see the National Institute of Standards and Technology recently release an Introduction to Cybersecurity for Commercial Satellite Operations.  It is too interesting not to post on even if the chances of working on cyber security for satellites is probably a little bit removed from most practitioners experience.  Put another way, I am not expecting a call from Elon Musk to do some cyber security work on a Space X satellite.  That said, the principles are as applicable to more terrestrial equipment. 

The rationale for the paper is pithily described in the abstract stating:

Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.

The NIST recommends using the cybersecurity Framework to develop a profile that involves:

Step 1: Establish Scope and Priorities.  While it is Read the rest of this entry »

Ransomware remains an ongoing, growing and developing form of malware that is particularly damaging to businesses.  Ransomware encrypts an organization’s data and demands payment as a condition of restoring access to that data. It can also be used to steal  information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The Australian Cyber Security Centre has provided some guidances on how organisations can minimise the risk of suffering a ransomware attack and what to do when attacked. In my experience many organisations do not have regard to this or any other guidance until it is too late.  Given the potential disastrous impact of a ransomware attack this is false economy.

By far and away the best source of guidance and practical assistance are the publications put out by the US National Institute of Standards and Technology (“NIST”). NIST recently released Ransomware Risk Management: A Cybersecurity Framework Profile.  It is a very useful and timely document. The abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.

Through a table it sets out the appropriate ISO/ID.AM/NIST guides against issues and explains how the guides operate.

Also released with it was a White Paper titled Getting Started with Cybersecurity Risk Management: Ransomware.

With the threat of ransomware growing, this “quick start guide” will help organizations use the National Institute of Standards and Technology (NIST) “Ransomware Risk Management: A Cybersecurity Framework Profile” to combat ransomware. Like the broader NIST Cybersecurity Framework, which is widely used voluntary guidance to help organizations better manage and reduce cybersecurity risk, the customized ransomware profile fosters communications and risk-based actions among internal and external stakeholders, including partners and suppliers.

The Framework provides a very useful section containing basic ransomware tips Read the rest of this entry »

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance Read the rest of this entry »

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations Read the rest of this entry »

The postscript to Re Slodyczka & Farren Pty Ltd [2022] VSC 102 is a decision by Associate Justice Hetyey regarding costs of the application. 

FACTS

in the substantive judgment  the plaintiff’s application to wind up the defendant in insolvency was dismissed.

The relevant facts for the purpose of considering a costs order were:

• whilst the matter was commenced by originating process filed on 11 April 2021, there were delays and adjournments [2] resulted in two previous costs orders being made being:
  • on 7 July 2021, consent orders were made which, among other things, required the plaintiff to pay the defendant’s costs thrown away by reason of an adjournment of the hearing originally scheduled that day (‘the first costs order’).
  • at the next hearing date, on 27 July 2021, it was adjourned at the request of the defendant to enable it to put on supplementary material on the question of solvency, including audited accounts for the 2019/2020 and 2020/2021 financial years. The plaintiff’s costs of the hearing be reserved (‘the second costs order’).

The defendant opposed the winding up application on the following alternative bases [4]:

(a) service of the plaintiff’s statutory demand dated 3 February 2021 (‘the statutory demand’ or ‘the demand’) was defective;

(b) the defendant was solvent and could displace the statutory presumption of insolvency;

(c) the defendant should be given leave pursuant to s 459S of the Corporations Act2001 (Cth) (‘theCorporations Act’) to oppose the winding up application on a ground or grounds it could have relied on for the purpose of an application to set the demand aside. The grounds sought to be raised were: (i) there was a genuine dispute about the amount of the debt claimed in the statutory demand in accordance with s 459H(1)(a); (ii) the defendant had an offsetting claim for the purpose of s 459H(1)(b) of the Corporations Act; and (iii) the demand was defective and a substantial injustice would be caused to the defendant if the demand was not set aside pursuant to s 459J(1)(a) of the Corporations Act; and

(d) pursuant to s 467(1)(a) of the Corporations Act, the Court should dismiss the plaintiff’s application as a matter of discretion.

In the substantive judgment the court held that, [5]:

• the defendant failed to rebut the presumption of service of the statutory demand under s 29(1) of the Acts Interpretation Act 1901 (Cth).
• the defendant succeeded in displacing the statutory presumption of insolvency on the basis that it was cash flow positive and balance sheet solvent. The proceeding was dismissed on this basis.
• the defendant’s application under s 459S of the Corporations Act was not granted because the grounds sought to be raised in respect of the plaintiff’s debt were not material to proving solvency however  had the defendant failed to establish solvency the corut would haveultimately have granted it leave
• the defendant could not to pursue its argument that the Court should dismiss the plaintiff’s application in accordance with the Court’s discretion under s 467(1)(a) of the Corporations Act because of a lack of proper notice to the plaintiff Read the rest of this entry »