In Re Australian Builders Group Pty Ltd [2022] VSC 254 the Supreme Court, per Hetyey AsJ, set aside a statutory demand based on a genuine dispute based on the construction of an agreement and default notice but also by a claim of duress.

FACTS

On or around 1 June 2017 Mind, a not-for-profit organisation providing community-managed specialist mental health services entered into an agreement with Australian Win Win Investment Pty Ltd (‘the landlord’) to lease a property located at 691 High Street, Thornbury, Victoria (‘the property’ and ‘the lease’ respectively) for an amount of $130,000 per annum (approximately $10,833.33 per calendar month) [1].

In early May 2018, Mind and ABG entered into a sublease agreement for the property (‘the sublease’). The parties to the sublease agreed that ABG would pay a reduced amount of rent of $121,000 per annum (approximately $10,083.33 per calendar month) [2].

From February 2019, ABG began to fall into arrears & by 15 April 2021, it owed Mind approximately eight months’ rent, totalling $82,279.92 (‘the arrears’). Pursuant to a repayment deed, ABG agreed to make regular payments of the arrears of $2,500 plus GST, together with interest, per week.

Regarding the repayment Read the rest of this entry »

In A & J Morphett Nominees Pty Ltd v JBT Lawyers Pty Ltd & Anor [2022] VSC 238 Justice Dixon in upholding an appeal made important statements for practitioners on the role of stakeholders.

FACTS

On 26 November 2018 the appellant and Chloe Estelle Pty Ltd entered into the contract with the appellant paying the deposit of $42,000 to the respondent on 6 December 2018 [4].

On 21 March 2019, the appellant by written notice terminated the contract and requested that the respondent repay the deposit to it [4].

The appellant, A & J Morphett Nominees Pty Ltd, commenced proceedings against Chloe Estelle Pty Ltd, as first defendant, and the respondent, JBT Lawyers Pty Ltd, as second defendant in the Magistrates Court.  In its defence the respondent admitted that it received the deposit sum as a stakeholder as alleged by the appellant [6].

On 24 June 2019, the appellant entered default judgment in the proceeding against Chloe Estelle Pty Ltd, which included an amount for interest and costs [7]. The appellant did not recover against Chloe Estelle Pty Ltd as it was and on 18 July 2019, an administrator was appointed and it was subsequently ordered to be wound up. The liquidators made no claim for the deposit.

It was never been in dispute that the respondent received that sum as a stakeholder for the appellant and Chloe Estelle Pty Ltd [3].

On 29 March 2019, the Federal Circuit Court, per Small J,made an order in a Family Law dispute between different parties.  It relevantly Read the rest of this entry »

As part of the Queen’s Speech, read by the Prince of Wales, the UK government announced that it would introduce a Data Reform Bill.

The Bill proposes to provide the Information Commissioner’s Office with greater powers to take  “stronger action” against businesses that breach data rules.

The background and briefing notes states that the Bill will focus on a flexible, “outcomes-focused” approach rather than “box-ticking,” and will simplify the rules relating to the use of personal data for research purposes.

While the UK government complained that the UK General Data Protection Regulation (“GDPR”) and the Data Protection Act of 2018 as “highly complex and prescriptive” legislation that imposes excessive administrative burdens on business it will nonetheless seek renewal of the European Commission’s adequacy decision  upon its automatic expiry in 2025.  This will permit personal data to continue to flow uninhibited between the EU and the UK.

In the United States the US House of Representatives passed the Promoting Digital Privacy Technologies Act on 11 May 2022. It provides for the Director of the Office of Science and Technology Policy, acting through the Networking and Information Technology Research and Development Program, to coordinate with the Director of the National Science Foundation, the Director of the National Institute of Standards and Technology, the Federal Trade Commission, and the heads of other federal agencies, as appropriate, to accelerate the development, deployment, and adoption of privacy enhancing technologies. This is one way of dealing with privacy intrusions and one that is finding some favour given the disappointing performance of regulators and privacy intrusive legislation that is enacted from time to time.

The bill defines privacy enhancing technology as Read the rest of this entry »

The Council of Europe (‘CoE’) announced that the 22 Council of Europe Member States had signed the Second Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence (‘Second Additional Protocol to the Budapest Convention’). 

The Second Additional Protocol provides for:

• a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscriber information;
• effective means to obtain subscriber information and traffic data;
• immediate co-operation in emergencies;
• mutual assistance tools; and
• personal data protection safeguards.

Interestingly Second Additional Protocol was signed by the non-CoE Member States of Chile, Colombia, Japan, Morocco, and United States. But not Australia.  That is more than Read the rest of this entry »

The Federal Court, per Halley J, set aside a statutory demand in CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 in finding that an offsetting claim constitutes a genuine dispute. It is a very good decision setting out the complications of offsetting claims arising from building contracts relied upon in setting aside a statutory demand which is based on a certificate and judgment obtained under the Security of Payments Act.

FACTS

CBS engaged Axis as a sub-contractor to undertake work at a building site located in Gungahlin in the Australian Capital Territory [12].

The chronological events Read the rest of this entry »

The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.  

The orders were made in terms agreed between the parties just before the trial was scheduled to commence.

I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,

FACTS

The Court provided a factual background about stating that RI Advice :

• was:
  • a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
  • from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
• carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
• authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]

The AR Practices (practices of groups of one or more Authorised Representatives):

• electronically received, stored and accessed  confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:

(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and

(c) copies of documents such as driver’s licences, passports and other financial information [14].

• since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
• had 9 cybersecurity incidents between June 2014 and May 2020, being:
  • in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
  • in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
  • in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
  • in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
  • in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
  • between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months  compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
  • in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
  • an unauthorised person used an AR Practice’s employee’s email address:
    • in August 2019 to send phishing emails to over 150 clients ; and
    • in April 2020 to send phishing emails to the AR Practice’s contacts [16].

Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

• computer systems not having up-to-date antivirus software installed and operating;
• no filtering or quarantining of emails;
• no backup systems in place, or backups not being performed; and
• poor password practices including:
  • sharing of passwords between employees,
  • use of default passwords,
  • passwords and other security details being held in easily accessible places or being known by third parties [17].

Regarding the incidents Read the rest of this entry »

The National Institute of Standards and Technology today released its CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B.  it is a very technical document, even by NIST standards, coming in at 80 pages.

The publication amends NIST SP 800 – 140B by:

1. Defining a more detailed structure and organization for the Security Policy
2. Capturing Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
3. Building the Security Policy document as a combination of the subsection information
4. Generating the approved algorithm table based on lab/vendor selections from the algorithm tests

The abstract Read the rest of this entry »

Lawyers are far from immune from data breaches.  In fact law firms are attractive targets for ransomware attacks and malicious actors, sometimes state sponsored ones, who are interested in the sensitive information about clients held behind often poorly protected cyber defences. Nothing so nefarious has hit the State Bar of the US state of California with over 322,000 confidential attorney discipline records being  erroneously published on public records aggregator Judyrecords from 15 October 2021 until 26 February 2022.  The Bar claimed that this error was due to  a bug in its case management system. While a a data breach caused by a flaw in the IT system rather than a malicious hack is a minor consolation the mortification level remains high nevertheless.  And it remains a data breach.  The breach was discovered on 24 February 2022.  It has been required to notify 1,300 complainants, witnesses, or respondents.

The episode highlights the importance of checking the operability of IT systems as well as cyber security defences. Clearly the glitch which caused this data breach was due to a malfunction in the system.  That is an explanation, not an excuse.

The State Bar first issued a Media release, State Bar of California Addresses Breach of Confidential Data, on 26 February 2022.  At that time Read the rest of this entry »

It is obvious to anyone practising in the privacy and data security area that reliable statistics about the incidence of cybercrime, the number of people or organisations affected and the cost of those criminal acts are hard to come by.  The causes are numerous, victims being unwilling to report crimes, organisations affected by hacks doing their best to keep the publicity to a minimum, differing definitions of certain crimes and the inefficient collation of what data there is.

It is therefore welcome that the US is regularising the collection of data realting to cyber crime and cyber enabled crime.  The Act Read the rest of this entry »

In the United States the states have traditionally been active in law reform, often leading the way until the Federal Government steps in and makes nationwide laws, to the extent permissible by the constitution.  There have been notable exceptions, such the New Deal legislation of the 1930s and the Lyndon Johnson’s frenetic legislative activity of the 1960s.  But with privacy the US states have lead the way, with the California Consumer Privacy Act of 2018 (CCPA) being the most comprehensive.

Australian States could legislate for proper privacy protections in Australia.  There is ample scope to provide greater protections and  but choose not to do so.

The US North Eastern State of Connecticut has passed a comprehensive privacy Act, S.B.6  AN ACT CONCERNING PERSONAL DATA PRIVACY AND ONLINE MONITORING.  With Connecticut’s Bill that will be the fifth state of the Union to have have a comprehensive privacy law.  It will take effect on 1 January 2023.

The official description of what the legislation, if signed by the Governor, is:

To: (1) Establish (A) a framework for controlling and processing personal data, and (B) responsibilities and privacy protection standards for data controllers and processors; and (2) grant consumers the right to (A) access, correct, delete and obtain a copy of personal data, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

The legislation applies to persons conducting business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut that :

• controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
• controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The legislation does not regulate:

• nonprofit organizations,
• institutions of higher education,
• financial institutions or data subject to the GLBA,
• HIPAA covered entities or business associates.
•  business-to-business and employee data. Consumer Rights
• certain personal information under the
  • Fair Credit Reporting Act,
  • Driver’s Privacy Protection Act of 1994,
  • Family Educational Rights and Privacy Act,

Under the Bill consumers have the right Read the rest of this entry »