Given the scope and sensitivity of the personal information lost in the Genea data breach it is hardly surprising that a number of firms, 3 at last count, are considering class actions. This looming herd/charge of class actions is covered by Nine with ‘Reopened those wounds’: IVF patients to sue clinic over data breach and the Sydney Morning Herald with ‘Emotionally devastating’: Victims of IVF data breach seeking class action. It is always difficult to predict what will or won’t be pleaded in class actions but the issues that are clearly relevant revolve around obligation to keep confidential material safe and secure and what steps were taken to keep the personal information secure. There may be issues relating to misrepresentations and perhaps breach of contract.  

The SMH article provide:

Read the rest of this entry »

Third party access by hackers is so widespread as to almost becoming ubiquitous.  Scattered Spider is so prolific these days in hacking high value companies that it is almost ubiquitous.  Both are present in the dispute in the USA between Clorox, a large manufacturer of disinfectant/bleach and Cognizant, a large IT service provider. 

In August 2023 Clorox first disclosed to the SEC that it had suffered a data breach which would disrupt parts of its operations. The cyber attack damaged part of its IT infrastructure which led to disruption of signature products and forced it to manually process orders. A filing with the SEC a month later Clorox advised that the hack caused lower production rates and predicted that its sales would be 23 – 28% down as well as a loss of share price ranging from 35 – 75 cents, processing delays and product outages. As at November 2023 it estimated that it had suffered damages of $358 million. The cause of the data breach was access via its IT provider, Cognizant. Clorox alleges a hacker rang up staff at Cognizant and asked for Clorox’s system login and it was provided. It has issued proceedings in the California Superior Court.

Bleeping Computer reports in Hackers fooled Cognizant help desk, says Clorox in $380M cyberattack lawsuit that Clorox alleged that Cognizant fell for social engineering by a hacker without verifying the callers actual identity.  The claim alleges that Cognizant didn’t follow the proper procedures and in fact reset credentials multiple times without identity verification.  What makes this case interesting is that Cognizant is defending the claim quite aggressively and alleged that Clorox had inept internal cybersecurity and failed to mitigate the attack.  It also alleges that the scope of the engagement between Clorox and Cognizant was narrow and confined to help desk services, which Cognizant reasonably performed. As such there will be issues of contract, tort and the issue of mitigation of damages.  

While the proceeding will be conducted in California the principles that will be the subject of dispute are applicable in Australia under Australian law.  It is worth following this case closely.  

The Bleeping Computer article provides:

Clorox is suing IT giant Cognizant for gross negligence, alleging it enabled a massive August 2023 cyberattack by resetting an employee’s password for a hacker without first verifying their identity.

The incident was first made public in September 2023, reportedly carried out by hackers associated with Scattered Spider, who utilized a social engineering attack to breach the company. Read the rest of this entry »

The case of Kate Aston being videoed walking out of a bathroom and Nathalie Matthews being concerned about intimate videos she filmed would be made public raises issues of privacy protections in each case and what each could do to protect their privacy. Particularly with the statutory tort of serious invasion of privacy coming into operation on 10 June 2025.

While both factual situations are unique they are not, in broad strokes, all that unusual in privacy law.  The use of videos and cameras used in a setting which should be private and which clearly cause serious distress is not unknown. Many cases, almost invariably resulting in a prosecution, involve the use of a camera/video in a toilet. But there is no hard dividing line taking photos or videos of someone in a toilet and photographing or videoing someone with that same equipment who are leaving a toilet.  The question is whether there is a reasonable expectation of privacy.  In case of someone using the toiletry facilities the answer is clearly yes.  In terms of someone leaving a toilet it is most likely yes.  The distinction is slight.  One can have a reasonable expectation of privacy in a semi public or even public space. In 2008 the UK Court of Appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446 found that a child had a right to privacy in a public space. The Mrs Murray in that case writes under the nome de plume of JK Rowling. While the claim was brought on behalf of the Murray’s child the defendant’s interest was more about capturing an image of Mrs Murray with her family, child especially.  While that case focused on the rights of the child the subsequently developed principles apply to adults. It depends on the circumstances.  And those circumstances do not assist someone who intentionally waits outside a toilet and uses the video to catch another on film leaving the toilet.  And then posts that footage on line.  

According to 7 News Ms Aston has commenced legal action. Whether that is a claim in privacy, equity, defamation or any other cause of action is unknown.  

According to the Australian report of the Matthews case the concern is there are intimate videos would be made public and that motivated her to apply for a domestic violence order.  The abuse of intimate videos, previously made consensualy, have been the subject of two superior court decisions in Australia; the Victorian Court of Appeal decision in  Giller v Procopets [2008] 24 VR 1 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on in 2015.  

Either of these cases could be run without the statutory tort of serious invasion of privacy.  With that tort extant and these fact situations commencing after 10 June 2025 the tort is available to either.  The strength of the case depends on all of the facts, not just the media coverage. 

It is interesting to read Read the rest of this entry »

The Prime Minister today foreshadowed legislation to unmask online trolls and amend the law of defamation in response to the High Court decision in Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27.  The necessary bills will be released in the next week.  A mid morning media release on a Sunday, usually a slow news day where editors fret on what will fill the front page the next day, guarantees big coverage on Monday.

Extracting the reforms from the media release the changes will involve:

• legislating a requirement that social media platforms to set up a complaints system so as to remove defamatory remarks;
• establishing a new Federal Court order to require social media giants to identify details of trolls to victims without consent.
• Australians and Australian media organisations will not be considered publishers. 
• social media platforms will be considered publishers though liability may be avoided if they provide information which permits victims to commence defamation proceedings against a troll.

The curious thing is that there is already a process for applying to the Federal Court for an order to a social media platform, search engine or internet service provider to identify an author who is using a pseudonym to defame someone.  I make these applications regularly enough as part of my defamation practice.  The principles are well established and the process is not overly onerous.  What new order is required will be interesting to see. There is also concern raised about social media platforms being required to collect personal information which would be provided if the mooted application is made.  That is not as dramatic as has been reported.  Google and Yahoo and other platforms require email addresses and sometimes phone numbers.  They can provide the isp number. It is relatively easy to identify the author from those details.  Similarly if the social media is put on notice about defamatory posts they may currently lose their protection from suit in the Broadcasting Services Act. 

If the Government were serious about Read the rest of this entry »

The Ontario Superior Court of Justice in Jane Doe 464533 v ND (2016 ONSC 541) has expanded the tort of privacy to incorporate the publication of embarrassing facts.  It is a very significant decision and an advance in the development of the law of privacy, in Canada at least.  It is also a key case considering the egregious practice of revenge porn.  The commentary will be quite useful in the development of the tort in relation to this type of fact situation.

FACTS

The parties met while at high school and started dating while they were both in Grade 12.  They stopped dating but continued to see each other romantically throughout Read the rest of this entry »

A standard brief for very junior barristers starting out has been to make application to set aside a judgment obtained in default of defence or appearance.  The gold standard case setting out the principles was, and to a large extent is, Kostakenellis v Allen.   Now the Court of Appeal in Lubura v Nezirevic [2013] VSCA 215 has considered the first element of the test for setting aside judgments, whether the applicant has a defence on the merits. While it is a unanimous decision each of Warren CJ, Osborn JA and Robson AJA each had separate reasons.

FACTS

The facts are most comprehensively set out in Robson AJA’s reasons.

Early in the morning of  Sunday 8 July 2007 the respondent and other friends attended at the Red Star bar in Pultney Street, Dandenong [30].  A fight broke out between two groups, one of which contained the respondent and the other containing the appeallent, both in the bar and outside on the street subsequently. The respondent was surrounded and assaulted by at least two males with bottles, receiving injuries including bruising and laceration to his ear and head, as well as a ruptured globe to his right eye. He lost sight in his right eye as a consequence of the assault. Other members of the group were also assaulted [31]. The appellant was initially charged with four counts: intentionally causing serious injury, and (as an alternative) recklessly causing serious injury, common assault, and affray.  On 25 November 2011, a fresh presentment was filed, with two charges to which the appellant pleaded guilty; assault of a person unknown to the Director of Public Prosecutions and affray [33].

On or about 30 August 2010 the Appellant received the writ in the civil proceeding brought by the respondent. The appellant says Read the rest of this entry »

Today’s Sydney Morning Herald is doing the meltdown thing about a plaintiff, Liskula Gentile Cohen,  successfully forcing Google to provide identifiers of a blogger.  The ruling enables  Cohen to  identity the blogger that described her as a skank and an old hag.  Actually the blogger said:

“I would have to say the first-place award for ‘Skankiest in NYC’ would have to go to Liskula Gentile Cohen,” the anonymous blogger wrote.

“How old is this skank? 40 something? She’s a psychotic, lying, whoring, still going to clubs at her age, skank.”

Very blogspeak.  Cohen is planning on suing.  In the Australian context there would be some interesting pleading challenges if one was to run a justification defence.  But the US laws are far more difficult for the plaintiff, particularly if Cohen is regarded as a public figure.  Cohen has apparently already made contact with the blogger by phone.  They know each other.

The Times on line (UK) has run a similar theme to the Australian Press reports with  Vogue model Liskula Cohen wins right to unmask offensive blogger, but it should know better.  It identified Richard Horton, the Night Jack blogger, months ago and fended off his attempt to maintain anonymity publish his details prompting a breathless analysis in June under the banner Analysis: bloggers can no longer be sure on anonymity,  The decision, by Mr Justice Eady, of The Author of a Blog v Times Newspapers Limited refusing an injunction to protect a blogger’s anonymity is hardly ground-breaking law.

There has never been a separate stand alone right to unmask/identify a blogger.

The interlocutory decision of the Manhattan Supreme Court sets no precedent.  The case involves long established principles Read the rest of this entry »