Peter A Clarke

The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

ASIC alleges that FIIG failed to have the following cybersecurity measures:

• Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
• Access restrictions:
  • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
  • configuration of group policies to disable legacy and insecure authentication protocols;
• Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
  
  • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
  • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
  • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
  • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
  • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
• Testing: there was a lack of
  • processes to review and evaluate efficacy of technical controls at least quarterly; and
  • penetration and vulnerability tests from internal and external points.

Read the rest of this entry »

The European Commission has released the third draft of the General-Purpose AI Code of Practice. It includes commitments by providers of general-purpose artificial intelligence (AI) models, including:

• documentation: the signatories commit to drawing up and keeping up-to-date model documentation, including ensuring quality, security, and integrity of the documented information and providing it to providers of AI systems and to the AI Office upon request; and
• copyright policy

Providers of general-purpose AI models with systemic risk must commit to :

• adopting and implementing a Safety and Security Framework that will apply to the AI models with systemic risk, as well as detail the systemic risk assessment;
• conducting systemic risk assessment systematically at appropriate points along the entire model lifecycle;
• selecting and further characterizing systemic risks;
• determining the acceptability of the systemic risks;
• implementing technical safety mitigations along the entire model lifecycle of the model, and ensuring they are proportionate and state-of-the-art;
• mitigating systemic risks that could arise from unauthorized access to unreleased models;
• reporting to the AI Office on the safety and security of the models;
• carrying out adequacy assessments;
• implementing systemic risk responsibility allocation;
• obtaining independent external systemic risk assessments, including model evaluations;
• keeping track of, documenting, and reporting serious incidents to the AI Office and, as appropriate, to national competent authorities;
• ensuring protections on non-retaliation against any worker providing information about systemic risks;
• notifying the AI Office of relevant information and the implementation of commitments;
• carrying out documentation, as prescribed by the code of practice and the Artificial Intelligence Act (AI Act); and
• implementing public transparency on systemic risks stemming from their AI models with systemic risk.

The AI Office will:

• report on the feedback received from stakeholders on the template for an adequate public summary of the training data under Article 53(1)d) of the AI Act and outline the next steps for adopting the template; and
• publish guidance clarifying the scope of the AI Act rules for general-purpose AI, including information on:
  • the definitions of general-purpose AI models;
  • placement of models on the market and providers;
  • exemptions for models provided under free and open-source licenses; and
  • the effects of the AI Act on models placed on the market before August 2025.

The press release Read the rest of this entry »

Chris Merritt is a good journalist and has ably edited the Legal Affairs section of the Australian. But he has bug bears which defy logic and fact. One of them is a statutory tort of privacy. The Australian has always had a set against the tort, primarily because of fears that it would interfere with the practice of journalism. Given the exemption which precludes a claim from being brought against journalists this is no longer a thing for the Australian. That of course does not stop Merritt from having a major rant against the statutory tort in last week’s Business to pay the price for new privacy tort. It is quite surprising that the Australian has been so slow to start its complaint about the statutory tort.  In the past it campaigned a long time before any tort was even proposed.  Here the complaint is made after the fact.

Now Merritt’s complaint is that businesses will be bankrupted for being vicariously liable for the breaches of privacy

The focus of the article is on the possible impact on businesses.  The reliance is on the submissions by the Business Council of Australia and the Australian Industry Group to the Senate Committee reviewing the Bill.  The BCA and the AIG have always been hostile to any form of actionable right to privacy.  Their submissions to this heavily circumscribed statutory right have followed that line.  They were not particularly analytical submissions and had a heavy dose of Henny Penny “the sky is falling” hypotheticals.  One hypothetical is how this tort will impact insurance premiums in the future.  Merritt draws a very long bow in drawing a comparison of the impact of the tort with the insurance disruption following the collapse of HIH.  That a similar result is in the offing.  Given the general damages award is capped this is quite a stretch.  It is quite an illogical analysis because given the tort requires an intentional or reckless act it is not proper to compare those claims, in the future, with claims of a sort and awards of the quantum associated with personal injury and medical negligence. The statutory tort provisions makes no comment on vicarious liability so the principle applies.  But so what?  The situations where that happens will be quite limited.  But if a person uses company resources to interfere with someone’s privacy then a company may be called to account if it is done in the course of company business and not inconsistent with its activities.

It is a quite a poor article but does highlight the continuing, largely ideological, fighting retreat by some areas of the media to a statutory tort.

The article provides:

Unfortunately, that’s exactly what federal parliament did on November 29 when it approved a new statutory tort for serious invasions of privacy.

Despite warnings from peak industry groups, parliament did nothing to stop innocent employers being held vicariously liable for invasions of privacy committed by employees who break corporate rules.

Everyone should be accountable for their misdeeds – but not the wrongs committed by others. ?Yet that is a key feature of the new privacy tort sitting on the federal statute book, just waiting for enterprising lawyers to give it a run when it comes into force in June.

In October, the Business Council of Australia warned about the potential unfairness of holding employers vicariously liable for the wrongful actions of their employees – particularly if companies have taken all reasonable steps to prevent staff from invading anyone’s privacy. Read the rest of this entry »

At a Law Council Dinner on Sunday 1 December 2024 the Attorney General waxed lyrical about matters pertaining to his portfolio. In the the course of his speechifying discussed the statutory tort and the anti doxxing provisions.  His defence of the journalist exception is wrong headed.  He claims it is necessary to protect freedom of the press.  That is nonsense.  There is no such exemption in any jurisdiction where there is a tort of privacy and somehow the press thrives in those places.  It was a political not policy decision. It is a terrible mistake.  That said having a tort even if in a weakened form is better than no tort.

His speech provides:

Acknowledgements

Thank you to the Law Council of Australia for hosting yet another wonderful dinner, a dinner I’m delighted to be attending for my third consecutive year since returning as Attorney-General in 2022.

I acknowledge the traditional owners of the land on which we meet, the Ngunnawal people, and pay my respects to their Elders, past and present. I extend that respect to all Aboriginal and Torres Strait Islander people here today. 

I thank the President of the Law Council, Greg McIntyre SC, for inviting me to speak tonight. I congratulate and welcome the incoming President, Ms Juliana Warner.

I also acknowledge

• • Her Excellency the Honourable Sam Mostyn AC, Governor-General of the Commonwealth of Australia, and His Excellency Simeon Beckett SC;
  • My parliamentary colleagues;
  • Current and former members of the judiciary; and
  • Members of the legal profession.

Legal assistance services

On 6 September this year First Ministers reached a landmark agreement for a new five year National Access to Justice Partnership.

And I am very pleased to say that yesterday, 28 November, the final signature from an Attorney-General was obtained, and it has been published today.

This agreement provides $3.9 billion in support for legal assistance services over five years – the largest Commonwealth funding contribution to the legal assistance sector ever.

It is a vast improvement on the previous agreement, which expires on 30 June next year.

Every single part of the legal assistance sector will get more funding.

The agreement contains nearly $800 million in additional funding, including $500 million to support frontline legal assistance services delivered by Community Legal Centres, Women’s Legal Services, Aboriginal and Torres Strait Islander Legal Services, Legal Aid Commissions and Family Violence Prevention and Legal Services.

Critically, funding will be ongoing. This means an end to a rolling five-year funding cliff. Instead of fighting for its very existence, the sector will be able to plan for the future. It will be able to more easily attract and retain employees because there is job security. This change may be an underreported element of the new agreement but its significance cannot be underestimated.

The new agreement also addresses long-standing pay parity issues in the sector. For the first time, the Commonwealth is acting to lift rates of pay for the community legal assistance sector, bringing them closer to Legal Aid Commissions – again increasing the ability of services to attract and retain good lawyers.

Unlike the previous agreement, with its inadequate fixed rate of indexation, funding will be increased in line with the Wage Cost Index – meaning Commonwealth funding will not go backwards in real terms over the life of the agreement.

The previous agreement did not provide funding security for individual parts of the sector. States and territories could, if they wished, move money from one part to another, reducing the effective value of the Commonwealth contribution. The new agreement requires jurisdictions to maintain their investment for each part of the sector over the life of the agreement.

This both maintains the value of the Commonwealth contribution and provides funding certainty to each part of the legal assistance sector.

As some in this room may remember, the new agreement was announced at a meeting of First Ministers focused on gender-based violence, and appropriately so.

Access to justice is vital for women and children trying to escape gender-based violence. It can be the difference between leaving and staying in a violent situation. It can be the difference between life and death.

I’m proud that the largest relative funding increase for legal assistance in the new agreement was for Family Violence Prevention and Legal Services – a 112 per cent increase in Commonwealth funding compared to the preceding five years.

We know that First Nations women experience disproportionate rates of family violence.

Nationally, First Nations women are seven times more likely to be homicide victims than non-Indigenous women, and of those women, 75 per cent are killed by a current or former partner.

First Nations women are 33 times more likely to be hospitalised due to family and domestic violence than non-Indigenous women.

As my colleague Senator Malarndirri McCarthy, the Minister for Indigenous Australians, has said, this is a national shame.

Doubling the funding for legal assistance services which help First Nations women escape domestic violence will not solve this problem on its own, but it is an important step forward.

Let me be clear – I know there will always be unmet need in the sector.

But I believe the new National Access to Justice Partnership is a momentous step forward.

That’s why I have been disappointed to see some misrepresentation of what the new Agreement delivers.

I expect demands from the legal profession for government to do more for the legal assistance sector.

But misrepresenting facts helps no one, least of all those in the sector.

Further, it makes little sense to make demands of the Commonwealth only.

Legal assistance is a shared responsibility, and demands on government should not focus on the national government alone.

For those in the audience who work in the community legal sector, I would like to say thank you.

You are among the most talented, committed and hardworking lawyers in the country. The Australian Government values your work. I value your work.

Privacy

You may have noticed we passed a few bills last night and early this morning.

I will go to just two of those tonight.

The first enacts tranche one of our privacy reform agenda.

The legislation does a great deal. It:

• • Creates a new statutory tort for serious invasions of privacy;
  • Creates a new criminal offence for the malicious release of personal data online, known as doxxing; and
  • Establishes provisions to enable the development of a new Children’s Online Privacy Code.

A privacy tort is not a new idea. In fact, that is something of an understatement.

In his 1969 Boyer Lectures Sir Zelman Cowen endorsed legislation to create an actionable right to seek redress for breaches of privacy.

The bill provides for a new statutory cause of action for individuals who have suffered a serious invasion of their privacy, and applies it to both physical privacy and information privacy. Read the rest of this entry »

It is a annual report season for Government agencies and authorities. And that includes that of the Office of the Australian Information Commissioner.Yesterday the Commissioner released its 194 page Annual Report for 2023 – 24. 

Given the significant amendments to the Privacy Act 1988 it is better to look forward to how the Privacy Commissioner approaches her responsibilities with new found powers rather than poring over the activities of the Privacy Commissioner over the past year.  On that note the work rate improved but it remained a timid regulator by any measure.   Which is a pity given the the Information Commissioner’s remuneration was $576,174 and Deputy Commissioner Elizabeth Hampton was $380,091. The relatively newly appointed Privacy Commissioner, Carly Kind is on $109,239.

In relation to privacy complaints the the Commissioner stated:

Privacy has been very much in the spotlight, with the continuing incidence of major data breaches. In 2023–24, we received 13% more notifications under the Notifiable Data Breaches (NDB) scheme than the year prior, when there was a 4% increase. We lifted our response rate, closing 84% of notifications within 60 days (compared to 77% last reporting year). In the 2022–23 financial year we received a 34% increase in privacy complaints. This year, complaints have remained relatively high, with a slight decrease of 5% year on year. We successfully responded to this high demand, finalising 20% more privacy complaints (3,104 in total), building on last year’s increase of 17% (2,576 finalised in total).
We continued our focus on clearing longer-standing, generally more complex and resource-intensive complaints, finalising 84% (271) of the 322 matters that were over 12 months old as at June 2023. At the same time, more recent complaints increased in age over the reporting period. The volume of complaints, combined with the focus on the longest-standing, meant that by the year’s end there was an overall increase in matters older than 12 months to 729. The OAIC will continue to focus on aging cases through process efficiencies and the strategic application of resources.

 What is quite unusual is that Read the rest of this entry »

On Monday the NAIC released its 29 page guide for ESG practitioners. to assist them in understanding and integrating artificial intelligence (AI) into their work. The guide advises on responsible AI use aligned with ethical goals and introduces a framework by CSIRO’s Data and Alphinity Investment Management for assessing AI’s impact on ESG and details 27 sector-specific AI use cases and highlights AI’s role in driving positive ESG solutions, including enhancing accessibility and reducing Read the rest of this entry »

The Australian Financial Review reports in ASIC pursues board directors over cyber breaches that it is investigating how directors deal with cyber attacks, both before and after they happen.  The ASIC Chair’s speech Effective compliance: Perspectives from the regulator highlights this increased focus. 

ASIC has been quite active in taking action against companies who have suffered damage as a result of data breaches, most notably its civil penalty proceeding against RI Advice.

The speech by the ASIC chair Read the rest of this entry »

The Australian Government has published a 19 page policy for the responsible use of AI. It comes into force on 1 September 2024.

The recommended actions include:

• training staff on AI fundamentals taking into account roles and responsibilities such as employees involved in procurement, development, training, and deployment of AI;
• make publicly available a statement outlining their approach to AI adoption, including information on compliance with the policy, measures to monitor the effectiveness of deployed AI systems, and efforts to protect the public against negative impacts; and
• designate accountable officials for implementation of the policy within their organization, who:
  • are the contact point for whole-of-government AI coordination;
  • must engage in whole-of-government AI forums and processes; and
  • must keep up to date with changing requirements as they evolve over time.

The key principles of the policy are aimed at :

• Australians are protected from harm;
• AI risk mitigation is proportionate and targeted; and
• AI use is ethical, responsible, transparent and explainable to the public.

The the press release is found here and the policy here.

The press release provides:

The Australian Government needs a coordinated approach if it’s to embrace the opportunities of AI. The Digital Transformation Agency has released the Policy for the responsible use of AI in government, an important step to achieve this goal while building public trust.

After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »