Peter A Clarke

De identification of personal information is critically important where data is being used for research. It has also been the subject of great scrutiny by regulators. The Victorian Information Commissioner produced a paper on the limits of de identification after it found that Public Transport Victoria breached myki users privacy by releasing data which exposed myki users’ travel history which the PTV claimed to have de identified. Academics from Melbourne University proved it wrong as they were able to identify the travel history of themselves and others. Apart from being a breach of the Privacy and Data Protection Act Victoria it was embarrassing given the negative publicity. The Federal Office of the Information Commissioner released general advice about de identification. On 19 September 2024 Crikey published Australia’s biggest medical imaging lab is training AI on its scan data. Patients have no idea.  The nub of the article is that I-MED “handed over” scans of thousands of patients to a start up company, Harrison.ai, which will use that data to train artificial intelligence.  It posed the question of how the data could e legally used and disclosed to Harrison.ai.  It made a number of valid points about the generally cavalier manner health organisations treat personal information.  The Privacy Commissioner responded with an investigation.  The Privacy Commissioner has closed an investigation regarding the transfer of data and issued a report. 

The key elements of the report are:

• paragraph 4.2 which sets out the usual two steps of de identification being the removal of personal identifiers and removing or altering other information which may allow a person to be identified;
• paragraph 5.1 the process adopted by I- MED which involved
  • segregating the patient data from the underlying dataset,
  • scanning the records with text recognition software,
  • using two hashing techniques (for unique identifiers such as patient ID numbers, and names, addresses and phone numbers),
  • time-shifting dates (to a random date within a specified number of years),
  • aggregating certain fields into large cohorts to avoid identification of outliers, and
  • redacting any text that appears within or within 10% from the boundary of an image scan.
• paragraph 6.1 the appropriate de identification practices identified by NIST being:
  • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.
• paragraph 6.2 while some personal information was provided to Annalise.ai and therefore shared in error due to failures in the de identification process it was remedied.

it is interesting to note that there were data breaches but not notified to the Privacy Commissioner until after she commenced her preliminary investigation.  That is Read the rest of this entry »

As is commonly the case data breaches have serious consequences. So it is with Tea. It suffered a very significant data breach involving very sensitive information. Thousands of images, posts and comments have been stolen. The BBC reports in Dating safety app Tea suspends messaging after hack that Tea has turned off messaging on the app. Given the nature of the app that is significant.  It suggests a lack of certainty that the threat has been removed.  The story also suggests that Tea is well behind on identifying the extent of the hack.  When a company says Read the rest of this entry »

The first reported threat to use the statutory tort of serious invasion of privacy has been made by Sam and Brittan Groth relating to 2 Herald Sun articles. The nub of the articles, as far as the Groths are concerned, relates to how and when Sam Groth began his relationship with Brittany Groth. The story is covered by the Guardian in Victorian Liberal deputy Sam Groth and wife threaten defamation and privacy action over News Corp stories and the Age with Liberal deputy Sam Groth to test new privacy laws over ‘malicious gossip’.The Age story goes into much more detail about the nature of the allegations contained in the Herald Sun article.  The Age also provides a quasi guide to the elements of a statutory tort of invasion of privacy.  It is incomplete and in part misleading.  It states that journalists have a defence.  It is more than that.  It is an exemption.  In these circumstances it revolves around the scope and operation of section 15 of Schedule 2 of the Privacy Act 1988.

Under Section 15(1) the tort does not apply to an invasion of privacy where that invasion “.. involves the collection, preparation for publication or publication of journalistic material” by a journalist or an employer of a journalist.  A journalist is defined in section 15(2) as being someone who:

  (a)   works in a professional capacity as a journalist; and

  (b)   is subject to:

  (i)   standards of professional conduct that apply to journalists; or

  (ii)   a code of practice that applies to journalists.

Section 15(3) defines journalistic material as being Read the rest of this entry »

Metricon Homes has been hit with a ransomware attack by Qilin. Qilin is a cyber criminal organisation that operates as a ransomware as a service whose modus operandi is to seize data and threaten to publish it on its Dedicated Leak Site (“DLS”) which is hosted on Tor. It was first detected in July 2022. It operates Agenda ransomware which supports multiple encryption modes. it targets large enterprises and its usal mode of entry is through phishing or spear phishing emails. It also has accessed exposed application such Citrix and remote destop protocol. As an aside “qilin” refers to a mythical creature in Chinese folklore, often described as a hooved, chimerical beast with a mix of dragon, deer, and ox features. It’s a symbol of good omens, prosperity, and wisdom, and is said to appear during times of peace, prosperity, or the presence of a sage or benevolent ruler. Notwithstanding the Chinese symbolism Qilin is a Russian Speaking group. It is quite effective. Cyberdaily reports that Metricon has confirmed an attack by Qinlin. Metricon has released a statement, of sorts, which says not much of anything. Definitely not best practice. Apparently other statements have been released but not accessible to the general public yet.  Cyberdaily’s description of Qinlin’s communciation is consistent with its usual practice.  

It is much too early to common on the how the breach occurred, and by the look of it Metricon will be parsimonious with information.  But given Qinlin is known for phishing and spear phishing it is a timely reminder for companies to properly train staff and IT Read the rest of this entry »

Third party access by hackers is so widespread as to almost becoming ubiquitous.  Scattered Spider is so prolific these days in hacking high value companies that it is almost ubiquitous.  Both are present in the dispute in the USA between Clorox, a large manufacturer of disinfectant/bleach and Cognizant, a large IT service provider. 

In August 2023 Clorox first disclosed to the SEC that it had suffered a data breach which would disrupt parts of its operations. The cyber attack damaged part of its IT infrastructure which led to disruption of signature products and forced it to manually process orders. A filing with the SEC a month later Clorox advised that the hack caused lower production rates and predicted that its sales would be 23 – 28% down as well as a loss of share price ranging from 35 – 75 cents, processing delays and product outages. As at November 2023 it estimated that it had suffered damages of $358 million. The cause of the data breach was access via its IT provider, Cognizant. Clorox alleges a hacker rang up staff at Cognizant and asked for Clorox’s system login and it was provided. It has issued proceedings in the California Superior Court.

Bleeping Computer reports in Hackers fooled Cognizant help desk, says Clorox in $380M cyberattack lawsuit that Clorox alleged that Cognizant fell for social engineering by a hacker without verifying the callers actual identity.  The claim alleges that Cognizant didn’t follow the proper procedures and in fact reset credentials multiple times without identity verification.  What makes this case interesting is that Cognizant is defending the claim quite aggressively and alleged that Clorox had inept internal cybersecurity and failed to mitigate the attack.  It also alleges that the scope of the engagement between Clorox and Cognizant was narrow and confined to help desk services, which Cognizant reasonably performed. As such there will be issues of contract, tort and the issue of mitigation of damages.  

While the proceeding will be conducted in California the principles that will be the subject of dispute are applicable in Australia under Australian law.  It is worth following this case closely.  

The Bleeping Computer article provides:

Clorox is suing IT giant Cognizant for gross negligence, alleging it enabled a massive August 2023 cyberattack by resetting an employee’s password for a hacker without first verifying their identity.

The incident was first made public in September 2023, reportedly carried out by hackers associated with Scattered Spider, who utilized a social engineering attack to breach the company. Read the rest of this entry »

Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

Rebalancing power and information asymmetries

The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

• • the rental and property, credit reporting and data brokerage, sectors
  • advertising technology (Ad tech) such as pixel tracking
  • practices that erode information access and privacy rights in the application of artificial intelligence
  • excessive collection and retention of personal information
  • systemic failures to enable timely access to government information

Rights preservation in new and emerging technologies

The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

• • facial recognition technology and forms of biometric scanning
  • new surveillance technologies such as location data tracking in apps, cars and other devices
  • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

The media release Read the rest of this entry »

Tea is marketed as a dating safety app. It is used by women to do background checks on men and, anonymously, share “red flag” behaviour on men. It is a woman’s only app with 1.6 million users. It has not been without controversy. Last week it confirmed that it had been hacked and there had been “unauthorised access” to 72,000 images submitted by women. They reportedly stole 13,000 user photos and ids. Additionally there was access to 59,000 images of posts, comments and direct messages from over 2 years ago. The likely entreport for the hackers was an unsecured Firebase storage bucket used to store drivers licences, selfies and government ID verification.  

The story is reported by the BBC in Hackers steal images from women’s dating safety app that vets men. It is covered by AP in The Tea app was intended to help women date safely. Then it got hacked and NBC’s Hackers leak 13,000 user photos and IDs from the Tea app, designed as a women’s safe space. That was the initial knowledge of the hack. Bad enough. But Bleeping Computer reports in Tea app leak worsens with second database exposing user chats that the leak was much larger with 1.1 million personal messages stolen and and shared on hacking forums.

Given the purpose for which the app was set up with its very confidential communications and images of users who would prefer to remain anonymous, or at least known only within the app community, the data security was completely Read the rest of this entry »

Allianz Life is one of America’s largest insurance companies. It has suffered a data breach where a majority of its customers’ personal information was stolen. While it concedes the extent of the mistake in broad terms it refused to put a number on those affected.  CBS reports that Allianz Insurance Company of North America has 1.4 million customers.

Access came through a third party cloud based CRM system used by the company. Third party access is now a preferred means of access by many hackers. Third party providers often have less extensive protections and it is often easier to get authorisations. 

The data breach is reported by Tech Crunch with Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack. Allianz filed notice of the data breach with the Maine Attorney General.

The Tech Crunch story provides:

U.S. insurance giant Allianz Life has confirmed to TechCrunch that hackers stole the personal information of the “majority” of its customers, financial professionals, and employees during a mid-July data breach. Read the rest of this entry »

The charges against Ryan Cho, a junior doctor who worked at Austin Hospital, arising out his alleged use of video devices in staff toilets has grown from a charge of stalking and using an optical device earlier this month (see my post here) to five new offences. According to a Victoria Police media release, and reported by the ABC, last Friday Cho has now been charged with 5 further offences, most relevantly of 3 counts of producing intimate image and 1 count of using an optical surveillance device. The alleged offences are now  believed to have occurred in in more than one health facility. According to the ABC the Victoria Police allege that Cho had over 10,000 “pieces of images” and videos relating to at least 460 females.

The focus of the story is the alleged criminality of the conduct.  And why not. It is a big story and there is a strong interest by the public and public interest (2 very different concepts) in the issue.  The legislatures in Australia were very quick to respond to the practice of surreptitious filming, usually of women by men, in very private places, such as showers, toilets and change areas.  That response however was confined to criminalising such conduct. That is appropriate.  But there are limitations for the victims in this process.  In criminal cases it is the Crown, in indictable cases, or police Informant, in summary jurisdiction cases, which commence and conduct prosecutions.  It is the Crown/Informant which may enter a plea deal.  In some cases some form of monetary order may be made but it is not the same as an assessment of damages.  And it is prosecutors discretion to seek such orders.  

For years the State legislatures refused to legislate a civil right of action for interferences with privacy.  In Victoria what limited scope of action was confined to breaches by government entities under the Privacy and Data Protection Act.  It is an ineffective process and the results at the Victorian Civil and Administrative Tribunal Act has been very unsatisfactory.  On top of that its use is confined to Victorian Government, its agencies and entities or those providing services on their (as the case may be) behalf.  While the Victorian Government, like many government entities, have had major privacy fails and data breaches those incidents are only a small sub set of the total number of privacy interferences, misuse of private information and data breaches in Victoria (let alone the rest of Australia).  

Equity responded to the lack of statutory privacy protection and the inability of individuals to take action to protect their privacy with the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236.  It extended the claim of breach of confidence into a claim of misuse of private information, following the UK authorities.  It was and is not a good fit in many privacy related breaches.  The law developed at a glacial pace in this generally unsatisfactory environment.  That said, the High Court in Smethurst v Commissioner of Police [2020] HCA 14 came tantalisingly close to recognising a stand alone right to privacy as an actionable tort as the UK Court of Appeal did Vidal – Hall v Google Inc [2015] EWCA Civ 311. In Smethurst the Appellant deliberately did not want the High Court to continue consideration of a claim for breach of privacy.  Their Honours Keifel CJ, Bell and Keanne stated, at [48] (absent footnotes):

The plaintiffs’ principal claim to an injunction is based upon the Court’s auxiliary jurisdiction in equity. This would ordinarily require that it be granted in aid of some legal right or interest or title to property. The plaintiffs make no claim to the property in the AFP’s USB stick. They do not claim a right to privacy which is actionable for breach. They do not ask this Court to continue the debate, left open by Gummow and Hayne JJ in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, as to whether the courts should recognise such a tort. The plaintiffs nevertheless contend that an injunction should be granted to reverse or protect them from the effects of the trespass committed as a result of the Second Warrant being invalid. Those effects are that the information may be used to further the investigation as to whether offences against s 79(3) of the Crimes Act have been committed and, if charges are laid, as evidence of the commission of those offences.

(Emphasis added)

The reason for the Appellants reluctance in pressing the question of privacy and “continuing the debate” (which the High Court was most definitely interested in having) is because the media was at 2020, just as it is today, very hostile to the idea of a tort of privacy.  It wanted the relief sought and a finding against the Commissioner of Police but on a more confined basis.  That was a great opportunity wasted but fortunately the legislative has finally enacted a statutory tort of serious invasion of privacy.  As to whether the tort the High Court may have found was a superior form of protection to what has been enacted is something we will never know.  T

he Federal Government enacted a statutory tort of serious invasion of privacy which came into effect on 10 June 2025. 

With the operation of the statutory tort of serious invasion of privacy the gap in the civil law has been closed.  It is able to provide some measure of justice and compensation for victims of the behaviour as alleged in this case.  

The elements of a statutory tort of serious invasion of privacy are set out in section 7(1) of Schedule 2 of the Privacy Act 1988 and they are:

(1)       An individual (the plaintiff ) has a cause of action in tort against another person (the defendant ) if:

(a)     the defendant invaded the plaintiff’s privacy by doing one or both of the following:

(i)      intruding upon the plaintiff’s seclusion;

(ii)     misusing information that relates to the plaintiff; and Read the rest of this entry »

Terry Gene Bollea (known professionally as Hulk Hogan) was  a major celebrity in the curious world of American wrestling and subsequently as a big media personality.  Always good copy.

For lawyers he is at least as well known as winning a very significant privacy case in in 2016,  Hulk Hogan v Gawker case where he defeated Gawker Media ( citation Gawker Media, LLC v. Bollea, 129 So.3d 1196 (Fla. 2d DCA 2014); 170 So.3d 125 (Fla. 2d DCA 2015).  The case demonstrated that not everything a media company does is protected under the First Amendment.  Gawker Media was an online gossip tabloid which specialised in salacious coverage of celebrities private lives. I covered the verdict with posts in March 2016 here and here.

In a trial in Florida in 2016 Hogan won a privacy claim against Gawker which claimed protection under the First Amendment.

It was and remains a very significant case and one which has influenced in jurisprudence in the United States of America,

The facts in brief summary are:

• In 2006, Bollea was videotaped while having sex with Heather Clem, his friend’s wife.  he claimed the videotaping was undertaken without his knowledge or consent. On The Howard Stern Show, Bollea told Stern that he had slept with Heather with Bubba Clem’s (Heather Clem’s husband) blessing and his encouragement because he was so burnt-out from the trauma of his coming divorce that he finally gave in to the “relentless” come-ons from Heather who “kept going down that road.” 
• On October 4, 2012, Gawker editor A. J. Daulerio published a two-minute extract from the 30-minute video, including 10 seconds of explicit sexual activity
• Bollea originally sued Gawker for copyright infringement in the United States District Court for the Middle District of Florida, seeking a temporary injunction. U.S. District Judge James D. Whittemore denied Bollea’s motion, ruling that the validity of the copyright was in question, and that given the degree to which Bollea had already put his own private life into the public arena, the publication of the video might be protected by fair use.
• Bollea withdrew his case in the US district court and sued Gawker in Florida state court.
• Bollea’s request for an injunction was granted by Judge Pamela Campbell in 2013. Gawker announced that it would not comply with the part of the court order requiring the removal of the post and associated commentary because it deemed the order “risible and contemptuous of centuries of First Amendment jurisprudence.” Gawker removed the video itself, but linked readers to another site hosting the video.
• The injunction was stayed on appeal, and was denied in 2014 by the appeals court, which ruled that under the circumstances it was an unconstitutional prior restraint on speech under the First Amendment.
• The trial in 2016 ran for two weeks. Gawker argued that Bollea made his sex life a public matter, although on cross-examination, when asked by Bollea’s lawyer whether a depiction of his genitalia had any “news value”, former Gawker editor AJ Daulerio responded “no”. Bollea said that comments made in interviews were done in his professional wrestling character, an on-air persona different from his own.
• On March 18, 2016, the jury delivered a verdict in favor of Bollea. The jury awarded him $115 million in compensatory damages, which included $60 million for emotional distress. The jury awarded Bollea an additional $25 million in punitive damages on March 21.
• On June 9, 2016, Gawker filed a motion for a stay of execution of judgment pending appeal. In the motion and accompanying affidavits from Gawker Media personnel, the company stated that it could not afford to pay the $140.1 million judgment or the $50 million appeal bond.
• On June 10, 2016, Gawker filed for Chapter 11 bankruptcy protection and put itself up for sale.
• Univision Communications bought Gawker Media’s assets for $135 million at a bankruptcy auction on August 16, 2016 which included six Gawker websites—Deadspin, Gizmodo, Jalopnik, Jezebel, Kotaku, and Lifehacker.
• On November 2, 2016, Gawker Media and Bollea reached a $31 million settlement. As a result of the settlement, Gawker forwent its appeal and three articles from gawker.com were taken down, including the one involving Bollea.

Schedule 2 of the Privacy Act 1988 contains the provisions giving effect to the statutory tort of serious invasion of privacy.  How relevant is the Hulk Hogan case to the consideration of Australia’s statutory tort?  On its face little.  An issue in the Hulk Hogan case was whether the material published by Gawker Media had news value.  And the witness for Gawker said “no.”  Under section 15(1) of Schedule 2 the statutory tort does not apply “..to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material” while section 15(1A) provides that “..This Schedule does not Read the rest of this entry »