In February 2019, it was announced by one of Australia’s largest property valuation firms, LandMark White (“LMW”), had suffered a data breach compromising over 100,000 documents, including valuations and clients’ personal information. ...
5 Top Data Privacy Tips for Your Organisation
- Change how you look at data.
Everything has a price – and people are paying big money for data. Treat data like holding physical gold.
- Review your policies often.
- Take some serious steps to secure the data that you store.
Focus on your biggest weakness – you and your employees. Get training early and often. Encrypt everything.
- Have a plan in place.
Data breaches are incredibly stressful, and your actions dictate the response of customers and regulators later. Planning ahead can make all the difference.
- Ask if you really need the data you’re collecting at all.
Too many companies collect data without giving thought to the risk they’re taking on. Do you actually need a customer’s full name and address? Could you use a third-party payment processor? Less data = less risk.
Make no bones about it – the last decade has been the decade of data abuse. From monetisation through Facebook and Google to secret government initiatives like the NSA’s PRISM, data privacy hasn’t been very well respected these last 10 years.
It’s hard to see this trend reversing course for the next decade. Reliance on services which monetise personal data is increasing, from Facebook Messenger to Amazon Alexa.
Intelligence legislation is becoming increasingly draconian (more on that below). But perhaps the biggest challenge for data privacy will come from the many new ways data will be used in the next decade.
The buzz in Australia around ‘Smart Cities’ is a perfect example. The premise sounds great – an interconnected metropolis where cars park themselves, ...
Data breaches are a common occurrence in the tech world. In the past, if you wanted to steal information, you would have had to buy a crowbar, break a window and jimmy open a filing cabinet.
These days, stealing data is as easy as guessing a password. Whether your breach is due to a phishing scam, a patchy security system, or Janet in accounting, most modern companies have to deal with the issue of digital security.
In recognition of this fact, the Australian government recently amended the Privacy Act to include the Notifiable Data Breaches Scheme, a comprehensive guide on how to deal with a data breach.
Of course, in law-land, “comprehensive” is often a synonym for “mind-numbing”, so we’ve put together a short guide on how you should deal with data breaches that won’t put you to sleep.
What is a data breach?
A data breach is anything that results in somebody having unauthorised access to information likely to result in serious harm.
It’s pretty context-specific. For example, if your toddler steals your phone, guesses your work password and sends a selfie to your boss, that’s probably not a serious data breach. However, if a hacker does the same thing to your entire work contact list, it might result in serious harm.
If you suffer a data breach, there’s one thing you need to remember: CATS.
It’s an initialism we came up with to simplify the data breach process. (It also doubles as a reminder to look at cats on the internet, which is a great way to relieve stress after a data breach).
- Control - If you think a breach has happened, your first priority is to control the situation. Stop the breach to the extent you can, lock down and identify what information might have been breached.
- Assess - Assess the situation. Ask whether serious harm is likely. If it is, you need to conduct an assessment of the incident and decide whether you can do ...
From 22 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme. Under the scheme, entities governed by the Privacy Act, often referred to as APP entities will be required to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of ‘eligible data beaches’. ...
Each year, the Office of the Australian Information Commissioner (OAIC) holds a week of events to promote privacy and encourage best practices by companies and organisations on how they can keep your personal information safe. Each year has a different theme: This year, the focus of the week is “trust and transparency”. ...
In February 2017, the much anticipated Mundine/Green fight took place. This long-awaited match was expected to be an intense fight between two rivals, however, Australias received more than just one fight when a dispute over copyright emerged between Foxtel, the official broadcaster, and two Facebook users.
It is alleged, that approximately 300,000 people viewed the fight via Facebook’s live-streaming service when the two men streamed the fight through their Facebook accounts. Foxtel, being the official broadcaster, alleges that the streaming of the fight violates their copyright as they held the exclusive rights to air the fight. Foxtel threatened legal action against the Facebook users.
The unofficial follow-up fight, however, did not last long as the two Facebook users issued public apologies the following week.
So why did the streaming of the fight cause such a disagreement?
Copyright law in Australia
Copyright law has a long history in Australia. Within the area of intellectual property law, copyright is one of the few rights bestowed automatically. This means that unlike trade marks or patents, the person or company seeking the legal protection afforded by copyright law does not need to apply or be approved, it simply exists over the published work.
As the rightful owner or creator of the work, you get to decide how and whom may re-publish your work. In the case of Foxtel, the organiser chose Foxtel to exclusively broadcast the fight. This means that Foxtel was the only entity that had permission to air the fight. Foxtel argues that streaming the fight is the same as broadcasting and therefore when the two men streamed the fight, they were violating Foxtel’s exclusive rights.
Whether you view Foxtel’s actions as extreme or not, the potential legal issues relating to live-streaming will make headlines again as the service becomes more popular.
While this situation ...
Digital security is a hot topic in the news right now. From celebrities to nation states, everybody has data they’d like to keep private. For software providers, that means having up-to-date security measures.
In Australia, software providers need to adhere to the Australian Consumer Law (ACL), which applies to all suppliers of goods and services to customers in Australia.
Australian law requires businesses to secure the personal information of their clients and customers. Businesses must also protect this information from being lost, misused, or given away.
If your business collects clients’ personal information, you are required to take reasonable steps to secure it. Unfortunately, Australian privacy law is rather broad when defining ‘reasonable steps’. Nevertheless, here’s a list of things you should consider:
• whether you collect very, very personal information – known as ‘sensitive information’;
• whether there could be negative consequences if the information is breached;
• the size and quantity of the information;
• the time and cost involved in implementing security measures; and
• whether a security measure itself is invasive;
Australian Consumer Law
The ACL requires that software:
• achieves the desired results of the client;
• is ‘fit for purpose’ and consistent with the client’s desires; and
• is delivered with appropriate care and adequate skill.
Remember that some requirements of the ACL are binding no matter what. These requirements are known as ‘guarantees’. You can read more about them here.
Fit for Purpose?
As with “reasonableness”, the ACL is quite broad in the definition of ‘fit for purpose’.
For example, if a client fails ...
Earlier this month, the government released a draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (the Bill) for public comment. If the Bill is passed without major changes, it will have a significant impact on businesses in Australia.
Effect of the Bill if Passed
The Bill will apply to any businesses or agencies already subject to the Privacy Act 1998 (Cth).
If the Bill is passed through parliament, it will become legally mandatory for businesses or agencies to ‘notify individuals when a serious breach of security leads to the disclosure of personal information’ – but only for data breaches that cause a ‘real risk of serious harm.’
Examples of “serious harm” include financial loss or identity theft, and more broadly, physical, psychological and emotional harm.
Breaches are not just limited to theft or ‘hacking' – the concept includes internal errors that cause accidental loss of an individual’s personal information.
If there is reasonable belief that a serious data breach has occurred, businesses would be required to notify both the Commissioner and each affected individual - using whatever customer communication tools they normally use.
If it is not practical to contact every individual, the business must take reasonable steps to publicise the notification – including on social media, on the business’ website or through print media.
Failure to Notify Penalties
If a business fails to notify the affected individuals of a serious data breach – the business will be subject to the penalties outlined in the Privacy Act.
The Commissioner can investigate the issue and direct the business to notify the affected individuals. The current drafting allows businesses to seek a review of the Commissioner’s directions in the Administrative Appeals Tribunal.
For businesses that ...
The Federal Government has announced its plan to spend almost $1.1 billion over the next four years as part of a new "innovation package". The package aims to promote a significant increase in business-based development and growth Australia-wide.
Industry Minister Christopher Pyne has stated that the bulk of the innovation package will come into effect from July 2016. The most relevant initiatives for existing businesses, investors and start-ups are identified below.
Bankruptcy and Insolvency
- The period of bankruptcy will be reduced from three years to one year.
- Insolvency laws will be wound back in recognition of the fact that most entrepreneurs fail several times before they succeed.
- Companies in difficulty will be able to call a business adviser to help restructure their business, without being subject to insolvency laws.
- Existing contracts will remain in place when a company goes into voluntary administration.
- Company directors will not be personally liable for insolvent trading if they appoint a restructuring adviser.
Early stage investors in new start-up businesses will get:
- a non-refundable tax offset equivalent to 20% of the value of invested capital (capped at $200,000 a year); and
- zero capital gains tax if the investment is held for more than three years.
For example, if an investor invests $200,000 and claims the offset, they will reduce their taxable income by $40,000. If the investor sells his or her shares three years later, the initial $200,000 will be exempt from capital gains tax.
The government will also provide funding to help Australian entrepreneurs travel to booming technology hubs like Silicon Valley and Tel Aviv.
The ‘innovation package’ is likely to have a significantly positive impact on business development and growth in Australia.
However, there ...
This article was first published in the Internet Law Bulletin 2013 17(7) at 174.
- When reviewing advertising for legal compliance consider:
- Does the advertising have a dominant message?
- Are there any conditions that impact the dominant message and if so are they sufficiently clear and prominent?
- For internet advertising, it is not sufficient that a consumer can “click” on the advertisement to learn about any conditions that vary the dominant message.
By now many of you have will have heard about the High Court’s decision in the long running misleading advertising dispute between the Australian Competition and Consumer Commission (ACCC) and TPG Internet Pty Ltd (TPG). In its decision handed down on 12 December 2013,1 the High Court reinstated a $2 million pecuniary penalty imposed on TPG for a misleading advertising campaign about TPG’s unlimited broadband bundle.
The 4—1 majority judgment sent a clear message to advertisers to be careful in ensuring that the dominant message of their advertising and marketing is not misleading and deceptive. Advertisers cannot always rely on the fine print of an advertisement to avoid liability under the Australian Consumer Law (ACL), where the dominant message of an advertisement may be considered misleading or deceptive.
TPG’s multimillion dollar advertising campaign consisted of advertising in various forms of media, including online. So, what does this decision mean for businesses advertising on the internet?
In late September 2010, TPG launched a substantial and extensive advertising campaign in relation to its broadband Internet product with unlimited downloads know as “Unlimited ADSL2+”. The campaign was run in various different mediums including television, radio, print, billboard and internet advertising, at a total cost of ...