Last Friday, 11 September 2020, the Commonwealth Attorney General referred two matters to the Australian Law Reform Commission:

1. a review into judicial impartiality with a final report due on 30 September 2021; and
2. a review of the legal framework for corporations and financial services with a final report due on 30 November 2023.

The Media Release Read the rest of this entry »

Cicero said “Laws are silent in time of war.”  The modern day equivalent is “laws are selectively ignored in times of pandemic.”  In the area of privacy laws that variation is very apposite.  In this pandemic the Victoria Police have been notably more assertive (read aggressive), paternalistic (read preachy, especially the Falstaffian Luke Cornelius’ intemperate verbal lashing of this or that civilian who attracts his ire) and selective about which laws they follow (as in don’t follow) than their interstate equivalents.  By a large margin and from the outset of the COVID.   The latter point is illustrated by Victoria Police reportedly using mobile surveillance units to remotely monitor citizens for breaches of the COVID laws. 

Putting aside the concerning willingness of Victoria Police officers to adopt such a dystopian method of performing their duties, as they see it.  I would be very interested to see the legal advice which regarded those actions as consistent with the Privacy and Data Protection Act 2014.  It is particularly concerning given the units are being deployed where there have been no complaints to police or even evidence of a breach.  That is just blanket surveillance pure and Read the rest of this entry »

The Attorney General announced yesterday that the Commonwealth Government will extend the insolvency and bankruptcy protections previously enacted in relation to:

• trading while insolvent
• increasing the threshold at which creditors can issue a statutory demand and the time for responding to a statutory demand.

The protections will extend until 31 December 2020.

The Attorney General’s media release provides:

The Morrison Government will continue to provide regulatory relief for businesses that have been impacted by the Coronavirus crisis by extending temporary insolvency and bankruptcy protections until 31 December 2020.

Regulations will be made to extend the temporary increase in the threshold at which creditors can issue a statutory demand on a company and the time companies have to respond to statutory demands they receive.

The changes will also extend the temporary relief for directors from any personal liability for trading while insolvent.

These measures were part of more than 80 temporary regulatory changes the Government made designed to provide greater flexibility for businesses and individuals to operate during the coronavirus crisis.

The extension of these measures will lessen the threat of actions that could unnecessarily push businesses into insolvency and external administration at a time when they continue to be impacted by health restrictions.

These changes will help to prevent a further wave of failures before businesses have had the opportunity to recover.

In addition, the Government is providing an unprecedented level of support totalling $314 billion to cushion the blow for workers, households and businesses during the coronavirus crisis.

As the economy starts to recover, it will be critical that distressed businesses have the necessary flexibility to restructure or to wind down their operations in an orderly manner.

The Government will continue to help businesses successfully adapt and restructure so that they can bounce back on the other side of this crisis.

As the Age reports in ‘More harm than good’: Businesses get reprieve but thousands still set to fail on the the changes, importantly that the extensions may actually harm rather than benefit Read the rest of this entry »

Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”).   It has been filed in the Federal Court Victorian Registry.  

RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).

According to the Concise Statement :

• on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
• on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6]. 

ASIC alleges that in relation to each of those incidents RI should have but failed to:

 (a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

• between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information.  That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent.  There was a notification to the Australian Information Commissioner.  An investigation revealed that 8,104 individuals were exposed to the breach.

ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate Read the rest of this entry »

One of the many flaws in the Privacy Act 1988 is that political parties are exempt from its coverage. That was not an omission or unintended consequence of the drafting. There was a specific carve out for political parties in section 7C of the Privacy Act.  The provision, titled Political acts and practices are exempt, is comprehensive in exempting political organisations and their sub contractors (sub section 3) and their volunteers (sub section 4).  These provisions were passed with bipartisan support.  It was and remains a major public policy failing.

The lifeblood of political parties is data.  Data allows political parties to refine messages and target voters.  That data comes from constituents contacting their local members, polling, gleaning information from social media and other forms of information collection. Gone are the days when political parties relied on rough quantative surveys and the gut feel of hardened political operatives.  Political parties know focus on blocks and streets, not suburbs and electorates when they are not targeting individual voters.  Most of that data is personal information.

The other store of data that political parties store are membership lists.  Membership lists are nuggets of gold for apparatchiks in their constant quest to work numbers, whether in pre selection fights or competing for positions within the many committees within all political parties. And internal competition can be fierce, much fiercer than between political parties.  Factions spend an enormous amount of time signing up members to electorate branches while rival factions monitor those activities and attempt to derail them whenever possible, as well as signing up their members.   The desire to thwart one’s opponents easily descends into regrettable acts of skullduggery. And that seems to be at the core of the data breach of the Victorian Division of the Liberal Party as reported in Warring Victorian Liberals spring a data leak.

By any measure a data breach involving the access and distribution of the personal details of Liberal Party members without their consent is a very serious matter.  Many members of political parties are quite open about their membership, some are very vocal about it.  But many are not for a range of legitimate reasons, be it causing difficulties in their jobs (such as working in the public service) or personal, not wanting family members to know they are active.  And because of the corrosive nature of inter party fighting it attracts unwanted attention as seems to have occurred with members being called and quizzed on their membership and who paid their membership fees.  Worse, the story reports that details of the list have been provided to journalists.

The response is typically familiar when political parties suffer embarrassing data leaks, call in the police.  It looks and sounds strong and means very little.  The police come in, look around, take a few statements, realise quickly they are part of a pantomine (though they probably knew that before putting on granite faces and walking in with clipboards tucked under an arm) and send their carefully typed report up the chain of command until it gets a nose bleed.  Weeks pass then months go buy and on a Friday afternoon close to Christmas a press release announces the investigation is closed.  And that is probably the right result.  Because the problem is not about criminal activity, it is about poor governance and poor understanding of what is required to properly collect, store and use personal information.  And for better or worse, generally worse, the appropriate party to investigate is the Australian Information Commissioner should investigate, which can’t be done because political parties have been exempted from coverage.  Some of the most data intensive organisations in Australia collecting some of the most sensitive personal information are exempt.  It is a failure of public policy on a staggering scale.

The article Read the rest of this entry »

Stories about Google knowing more about its users than the users themselves are so ubiquitous, like Google, that they rarely make their way onto the back page of a paper let alone the front page.  What is more concerning and noteworthy is recent run of stories of social media platforms, like Facebook, and data collecting companies, like Google, collecting and using data contrary to the supposed settings.  The Australian reports on the latest example of this egregious behaviour with Google knows your every move even with ‘location history’ off.  In short Google is tracking a phone’s movements even when settings to protect privacy are activated.  The way this was determined was through a test where software was installed to detect (described as tap) data being sent to Google.  This data stream was identified.  The nub of the problem is that the consent to use data went beyond that which was agreed, with that data being sold by brokers to police forces, governments and spy agencies.  The data collected includes Read the rest of this entry »

Last Friday the Australian Competition & Consumer Commission (“ACCC”) announced that it has commenced proceedings against Google LLC alleging misleading and deceptive conduct in failing to inform consumers and obtain their informed consent  from 2016 that it was combining their personal information in Google accounts with information gleaned from their activities in non Google sites which use Google technology.  The ACCC also alleges that Google misled consumers about changes to its privacy policy.

The ACCC has not released the concise statement and the case has not appeared on the Federal Court website as yet.  It is interesting, and something of a relief, that the ACCC is stepping up and taking on privacy related cases instead of the Australian Information Commissioner.  Unfortunately the Commissioner has a lamentable track record in enforcing privacy breaches, particularly in the Federal Court.

The nature of the case as described by the ACCC seems to follow a tried and true approach used by the Federal Trade Commission in the United States, attacking privacy and data breaches through breaches of contractual terms or misleading and deceptive conduct.  It is also an approach that the Federal Court is more comfortable with.  To date the Federal Court has produced judgments that betray a bewildering befuddlement regarding privacy principles; namely Read the rest of this entry »

In HQ Insurance Pty Limited v Stonehatch Risk Solutions Limited (No 2) [2020] FCA 1010 the Federal Court per Thawley dismissed an application for preliminary discovery on the grounds that the applicant failed to establish that reasonable inquiries were made.

FACTS

The dramatis personae are:

• HQ,  an Australian bloodstock and livestock insurance broker specialising in equine insurance. It holds an AFSL which authorises it to advise and deal in general insurance [17].
• Stonehatch,  a United Kingdom (UK) based insurance broker specialising in bloodstock insurance. It does not hold an AFS [17]]
• Ausure (Upper Hunter) Pty Ltd trading as Ausure Insurance Solutions (NSW),  an insurance broker which brokered equine thoroughbred insurance through Stonehatch as its wholesale broker in the UK where the equine risks were underwritten by various Lloyd’s syndicates [18].

On 25 September 2018, HQ completed its purchase of Ausure’s client book of insurance policies. HQ transferred the insurance files to their own wholesale broker, Integro Brokers Limited, in the UK, on 18 October 2018 [19].

Under the agreement between Read the rest of this entry »

In Lewis (liquidator), in the matter of Concrete Supply Pty Ltd (in liq) [2020] FCA 841 White considered the relevant principles in considering an application under section 477(2B) of the Corporations Act 2001.

FACTS

Between August 2009 and November 2017, ABCL had supplied concrete to Concrete Supply [5].

In October 2017, ABCL discovered that it had been underpaid about $12 million by Concrete Supply.  The underpayment was disguised by false entries made by one of its employees.  ABCL sought payment of the shortfall from Concrete Supply. On 14 November 2017, the directors of Concrete Supply resolved that it was, or was likely to become, insolvent and appointed Messrs Cooper and Cantone at Worrells as administrators. On 19 December 2017, the creditors of Concrete Supply resolved that it enter into a Deed of Company Arrangement (” DOCA”) [5].

ABCL opposed the Read the rest of this entry »

The 1st July 2020 is the commencement of the Consumer Data Right.  Under the legislation consumers an request their banks to share data for deposit and transaction accounts as well as credit and debit cards.  As of today there are two accredited data recipients however a further 39 providers have started the process.  Data from home, personal and investment loans and joint accounts will commence on 1 November.

The regulatory structure is interesting.  There are two regulators who will be responsible for regulation, the ACCC and the OAIC.  They come from two ends of the spectrum.  The ACCC is a good regulator by Australian standards while the OAIC is a dreadful regulator by any standards.  The ACCC is run by a thoughtful and insightful chairman, I can’t recall who runs the OAIC.  The Compliance and Enforcement Policy is Read the rest of this entry »