There will be a change to the Rules of the Federal Circuit Court and Family Court (Division 2). New Practice Directions will also take effect being:

• Central Practice Direction: General Federal Law Proceedings
• Central Practice Direction: Migration Proceedings
• General Federal Law Practice Direction: Admiralty and Maritime Proceedings;
• General Federal Law Practice Direction: Intellectual Property Proceedings.

Practice Directions

The Court’s summary of the Practice Directions provides:

Central Practice Direction: General Federal Law Proceedings

• updates to reflect new rule references in the new GFL Rules.
• updates removing child support from the types of proceeding listed as within the Court’s general federal law jurisdiction, to reflect that child support proceedings must now be heard in the family law jurisdiction.
• new item 3.2 on the overarching purpose stating that parties and their lawyers have a duty to co-operate with the Court and amongst practitioners.
• new section 4 stating the procedural requirements for parties seeking to file an urgent application.
• new item 6.3 on case management stating that the Court expects a party to seek consent of all other parties when seeking to adjourn a hearing or vacate a listing date.
• updates to section 8 on ending a proceeding early to reflect that parties can file a notice of discontinuance at any time before the first court date, or, if the proceeding is continued on pleadings, any time before the pleadings have closed. This includes new item 8.2 which states that the notice of discontinuance can be filed at a later date with the leave of the court or the other parties’ consent, if judgment has not been entered.
• new section 10 on parties’ conduct and communication with the Court stating the requirements for parties when communicating with each other, the Court and all Court staff. 

Central Practice Direction: Migration Proceedings

• this is a new Practice Direction, some items in the previous Migration Practice Direction remain and new items have been included.
• updates to reflect new rule references under the new GFL Rules.
• new section 3 including:
  • the assignment of a pseudonym to litigants
  • the requirements for how parties are to be named in migration proceedings
  • the requirement that all Court documents must include the details of the person who prepared the document irrespective of whether that person is a lawyer
  • the obligations under section 486E of the Migration Act 1958 (Cth)
  • the requirements for notifying the other party when filing documents with the Court.
• new section 4 regarding how the Court triages matters before they are allocated to a judicial officer for determination.
• new section 5 stating the requirements for parties seeking to file an urgent application.
• new section 6 regarding the non-removal from Australia of detainees with litigation before the Court.
• new section 7 regarding matters involving a party who is in immigration detention.
• new section 8 regarding the requirement for the solicitor for the Minister to prepare a Court Book and what it must include. This section also includes the Court’s requirements where a party wishes to rely on authorities.
• new section 9 on interview/hearing audio and transcripts.
• new section 10 regarding requests for adjournment.
• new section 12 regarding the requirements for Direct Access Barristers.
• new section 13 on parties’ conduct and communication with the Court stating the requirements for parties when communicating with each other, the Court and all Court staff.

General Federal Law Practice Direction: Admiralty and Maritime Proceedings

• updates to reflect new rule references under the new GFL Rules.
• new item 1.2 reflecting that parties have a duty to act consistently with the overarching purpose, and practitioners must assist parties to comply with the duty.
• removal of section 8 on urgent applications due to new section 4 in the Central Practice Direction – General Federal Law Proceedings.

Read the rest of this entry »

Sam and Brittany Groth have issued proceedings in the Federal Magistrates Court against the Herald and Weekly Times alleging a breach of privacy. Or more accurately a breach of the statutory tort of serious invasion of privacy. The Court number is VID1130/2025 and there are 3 respondents; the Herald and Weekly Times, Stephen Drill and Sam Weir. The story is covered by 3AW (with audio) in Deputy opposition leader launches legal action over controversial reporting. The Australian Financial Review also covers it Read the rest of this entry »

The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

• Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
• Access restrictions:
  • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
  
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
• Testing: there was a lack of
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

Read the rest of this entry »

The Australian reports in Class action against Optus after 2022 data breach registers 160,000 members that about 160,000 members have joined in the class action against Optus resulting from the 2022 data breach. This report is based on submissions made at a case management hearing before Justice Beach today. 

The class action is brought in proceeding PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS (number VID256/2023).

The article provides:

Appearing for class action behemoth Slater & Gordon, barrister William Edwards, KC, told the Federal Court on Wednesday the estimated number of members to join the action, which alleges Optus failed to protect the personal information of 9.8 million of its current and former customers whose personal data was leaked online after a cyber attack.

The court was told Optus and Slater & Gordon were still trying to settle the case by mediation, with a hearing possible if that failed.

In court, the parties argued over how much security Slater & Gordon should give Optus since it insisted on a secretive regime to keep documents exchanged in the case away from the public. Read the rest of this entry »

The Federal Court, per Rares J, found for John Barilaro in Barilaro v Google LLC [2022] FCA 650 for defamation by means of posts on YouTube and awarded him $715,000.

FACTS

The publications complained of were two YouTube videos prepared by a Mr Shanks:

• bruz, first uploaded on 14 September 2020.  The contents are described in great detail at [33] – [63]; and
• Secret Dictatorship, first uploaded on 21 October 2020 [3].  It is described in great detail at [81] – [91]

The imputations pleaded in bruz video was that:

(a) Mr Barilaro is a corrupt conman;

(b) Mr Barilaro committed perjury nine times;

(c) Mr Barilaro has so conducted himself in committing perjury nine times that he should be gaoled;

(d) Mr Barilaro corruptly gave $3.3 million to a beef company; and

(e) Mr Barilaro corruptly voted against a Royal Commission into water theft [4].

The imputations pleaded in Secret Dictatorship video was that:

(a) Mr Barilaro has acted corruptly by engaging in the blackmailing of councillors;

(b) Mr Barilaro has acted corruptly by engaging in the blackmailing of councillors using taxpayer money; and

(c) Mr Barilaro has pocketed millions of dollars which have been stolen from the Narrandera Shire Council [5].

On 25 November 2020 Barilaro’s chief of staff, McCormack, contacted Google Australia’s manager to complain about the racist and untrue content of friendlyjordies videos [129].  On 30 November 2020 Barilaro’s social media manager made a formal complaint to YouTube about the allegations Read the rest of this entry »

The Federal Court, per Halley J, set aside a statutory demand in CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 in finding that an offsetting claim constitutes a genuine dispute. It is a very good decision setting out the complications of offsetting claims arising from building contracts relied upon in setting aside a statutory demand which is based on a certificate and judgment obtained under the Security of Payments Act.

FACTS

CBS engaged Axis as a sub-contractor to undertake work at a building site located in Gungahlin in the Australian Capital Territory [12].

The chronological events Read the rest of this entry »

The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.  

The orders were made in terms agreed between the parties just before the trial was scheduled to commence.

I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,

FACTS

The Court provided a factual background about stating that RI Advice :

• was:
  • a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
  • from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
• carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
• authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]

The AR Practices (practices of groups of one or more Authorised Representatives):

• electronically received, stored and accessed  confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:

(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and

(c) copies of documents such as driver’s licences, passports and other financial information [14].

• since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
• had 9 cybersecurity incidents between June 2014 and May 2020, being:
  • in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
  • in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
  • in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
  • in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
  • in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
  • between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months  compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
  • in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
  • an unauthorised person used an AR Practice’s employee’s email address:
    • in August 2019 to send phishing emails to over 150 clients ; and
    • in April 2020 to send phishing emails to the AR Practice’s contacts [16].

Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

• computer systems not having up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including:
  • sharing of passwords between employees,
  • use of default passwords,
  • passwords and other security details being held in easily accessible places or being known by third parties [17].

Regarding the incidents Read the rest of this entry »

In a very significant decision of Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 the Federal Court, per Thawley J, has found that Google breached sections 18, 29 and 34 of the Australian Consumer Law (the “ACL”).  At 341 paragraphs it is a significant and detailed judgment.

Privacy policies and settings remain problematical in terms of practical, as opposed to theoretical, compliance with the Privacy Act 1988 and in providing consumers with a clear understanding of what the settings actually mean for them.  It does not help that settings are changed regularly and often without notice, with Facebook being particularly notorious in this regard.

It appears that the ACCC is stepping into the regulatory void that would otherwise be occupied by the Australian Information Commissioner in enforcing privacy protections.  By relying on misleading and deceptive conduct provisions of the ACL the ACCC is following the long established approach taken by the US Federal Trade Commission in bringing proceedings for misleading conduct where companies claim to protect privacy or have proper data security when in fact they do not.  That has led scholars to suggest that the FTC has developed a new common law of privacy. It would be a welcome development if the ACCC used its experience and superior litigation skills to enforce privacy protections in Australia.  The Information Commissioner has thus far had a dismal record in the Federal Court regarding consideration of the Privacy Act 1988.

The proceedings commenced in October 2019. Final orders will not be made for at least 14 days as the parties are to provide orders to reflect the court’s conclusions.  Given the nature of the findings it is reasonable to expect Read the rest of this entry »

The Federal Court today dismissed an application by Facebook against a previous ruling granting the Australian Information Commissioner leave to serve legal documents on Facebook USA.

The issue in the application was Facebook contending that it did not carry out business in Australia.

The terms of the application and the supporting affidavit are not publicly searchable, yet. The hearing took place on 6 May 2020.

The orders of Justice Thawley are:

1. The interlocutory application dated 6 May 2020 be dismissed.
2. The written reasons for judgment not be published beyond the parties until further order.
3. The parties have until 12 pm on 16 September 2020 to advise the Court of any orders for redactions sought, together with a concise written explanation as to why those redactions ought be made.
4. Unless any party applies within 7 days for a different order with respect to costs, the first respondent pay the applicant’s costs of the interlocutory application.

The Commissioner had a restrained Read the rest of this entry »

Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”).   It has been filed in the Federal Court Victorian Registry.  

RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).

According to the Concise Statement :

• on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
• on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6]. 

ASIC alleges that in relation to each of those incidents RI should have but failed to:

 (a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

• between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information.  That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent.  There was a notification to the Australian Information Commissioner.  An investigation revealed that 8,104 individuals were exposed to the breach.

ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate Read the rest of this entry »