display:none
What is a Mandatory Data Breach Notification for Privacy? – FAQs

What is a Mandatory Data Breach Notification for Privacy? – FAQs

by | Jun 18, 2017 | Law for Online Business, Legal, Privacy

What is a Mandatory Data Breach Notification for Privacy? – FAQs

Do mandatory data breach notifications apply to you?

 

If you are in Australia and collect personal information from clients, customers, suppliers, partners or anyone else for that matter, then maybe they do.  But a compliance perspective, these laws don’t affect you unless you are already required to comply with Australian Privacy law. Which means, you must comply if:

  • you operate a public, private or not for profit organisation with more than $3m turnover per year
  • you are a health service provider (not just doctors, this can include gyms, childcare centres, life coaches and schools), regardless of turnover
  • you are part of a federal government agency
  • you are part of a credit reporting agency
  • your business buys or sells personal information

What are mandatory data breach notifications about?

Data breach falls within Australian privacy laws and is all about cyber security.

The objective of the new law is to give individuals (those who care) confidence that their privacy is being protected. The laws apply regardless of technology, and encourage transparency and accountability.

What does it mean if you have an eligible data breach?

Mandatory data breach notifications only related to personal information. Personal information is defined in the Privacy Act as:

Personal information is –

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

– whether the information or opinion is true or not; and– whether the information or opinion is recorded in a material form or not.

So if your business is hacked and you lose commercial information, that is irrelevant to this law.

The key components of a data breach are:

  • it involves personal information
  • it does not have to be bulk data, personal information about one person may be enough
  • the data has been accessed or disclosed
  • the data has been lost in circumstances where it is likely to be accessed or disclosed (like when NASA employees left a laptop containing access codes to the space station in a cab…)
  • there is a likely risk of serious harm to the people who have had their personal information accessed, disclosed or lost

What does ‘Serious Harm’ mean for a data breach?

Serious harm is a broad concept including physical, psychological, emotional, economic, financial or reputational harm (like when Ashley Madison got hacked and all those people cheating on their partners risked being exposed…)

What is serious harm is likely to be different for each organisation and probably associated with the reason why data has been collected. Customers of a financial institution might risk economic loss, and customers of a medical clinic might risk psychological, emotional or reputation damage.

Think about what is important to your customers, or the people who’s personal information and data you collect.

What should you have in place to handle mandatory data breach notifications?

Not surprisingly, a large proportion of small businesses have adhoc systems in place and no real understanding of what they collect, or how they control their data. This is particularly the case when using third party systems that also store data, like Eventbrite.

IT, management and communications teams will need to work together for data breach notifications.

The top 10 things to consider are:

  1. Every organisation covered by these laws should have a clear understanding of how their data is collected, stored and used and the vulnerabilities of those systems.
  2. Identify ‘who’ in the organisation is responsible for managing data.
  3. Identify the likelihood and consequence of an eligible data breach.
  4. Put in place staff training and security measures to reduce the chance of an eligible data breach.
  5. Understand what ‘serious harm’ could arise if there was a breach.
  6. Work out what would need to happen to avoid ‘serious harm’ and how quickly that could be implemented if there was a breach.
  7. Put in place a recovery plan in case of a breach.
  8. Put in place a communications plan that includes (as a minimum) the communication to those affected, a press release to reduce reputational damage, and the notification to the Privacy Commissioner.
  9. Check the business cyber insurance to see that it covers data breaches and the consequences.
  10. Test a data breach scenario to ensure your business has the ability to manage an eligible data breach.

And lastly…

Remember that data breach laws are technology neutral.

Just because you still operate with a largely paper based system does not mean that this law will not apply.

As someone pointed out to me, most filing cabinets can be unlocked with a paperclip.

How can Onyx Legal help you?

If you need help identifying risks to disclosure of personal information in your business and procedures to manage those risks, or need support developing policies and procedures for managing personal information, then make an appointment to find out how we can help you.

Make an Appointment

Is the Law Black and White?

Is the Law Black and White?

by | Jun 15, 2017 | Law for Online Business, Video

Is the Law Black and White?

No, the law is not black and white

I’m on the road today in between meetings and just thought I’d share something with you. I’ve heard again this morning that law is very black and white.

Actually, it’s not. If it was black and white we wouldn’t need lawyers, we wouldn’t need courts to argue over what something means.

There’s a joke going around that if you give a sentence to six lawyers and ask them to tell you what it means, you’ll get six different meanings. It’s true. So, don’t assume that law is black and white.

Yes, we try and get clear, concise decisions by putting together contracts, and agreements, and stuff like that, but if things weren’t subject to interpretation, we wouldn’t have courts and we wouldn’t have a whole bunch of lawyers that we do today. So, no, law is not black and white. It’s all shades of grey and it is subject to interpretation.

One thing I say to people is, if you’re going to get into a dispute, if you think court is the answer, you have never got better than a 50/50 chance of winning.

I’ve been involved in cases which we thought we were dead set going to win, and we’ve lost. I’ve been involved in cases where we just thought we were going to lose and we’ve won.

There’s so many things that it’s subject to on the day, or on the days of court, that you can’t predict what the decision is going to be. So don’t think law and courts are the only way, and you’re going to get justice or it’s going to turn out your way.

You can’t make those assumptions. You’ve got to look at the cost, and the time, and everything else involved. So, please keep that in mind. 

How can Onyx Legal help you?

If you’d like to resolve a dispute without having to go to court and need a hand with your negotiation, Talk to one of our team to find out how we can best support you in getting to a result you can live with now, so that you can get on with business.

Make an Appointment

Should you Register a Trade Mark?

Should you Register a Trade Mark?

by | Jun 4, 2017 | Law for Online Business, Trademark, Video

Should you Register a Trade Mark?

Knowing When to Register a Trade Mark 

(In Australia we write ‘trade mark’ as two words, in the US its ‘trademark’).

I’ve just been at a Angel Investor and Entrepreneur breakfast. One of the things we were talking about this morning was branding and looking at how to use your branding and how you might leverage your business and change the direction of your business in the future. So, whether or not you actually want to register trade marks now, what trade marks are worth registering? All of those sorts of questions came up.

One of the considerations that you can give before making a decision to register a trade mark or not is:

Where is the value in my business?

So, if the value is in the trade mark, then it’s worth registering. If the value is in some other aspect of the business, maybe you want to invest your money more in that first before you register a trade mark. Just something to think about. For more detail have a look at our guest post on Problogger.com about registering a trademark without hiccups

Also, remember that not all things are capable of being registered as trade marks.

General descriptions and place names can’t be registered. We had a client once who said, “Hey, I want to register this trademark and it’s just been rejected by the trademark office. Can you tell me why?” The reason their application was rejected was because they wanted to register something like “Auto Sales, Brisbane“. It’s too generic. There’s no way you’re going to get that registered as a trade mark, because too many people in the same industry need to be able to use those words in that kind of order.

So just remember that not everything is capable of being registered as a trade mark and trade mark registration, although important, may not be your top priority right now.

How can Onyx Legal help you?

We can help you get your trade mark registered. We will help you identify the right classes and descriptions to protect your business and manage the process until your registration certificate comes through.

Make an Appointment

Avoid copyright infringement with Facebook Live

Avoid copyright infringement with Facebook Live

by | May 30, 2017 | Copyright, Law for Online Business, Legal

Avoid copyright infringement with Facebook Live

On 3 February 2017, Australian television broadcaster Foxtel televised a highly anticipated boxing match between two well-known boxers, Danny Green and Anthony Mundine. To watch the fight, viewers were required to subscribe through Foxtel and pay a fee to watch the fight live on TV.

copyright fair use in Australia
Australian resident Darren Sharpe was a genuine Foxtel subscriber who paid the required fee to watch the fight live. For those who aren’t exactly sure what live streaming is, it’s the ability to broadcast audio and video as it happens. Any time you want to “go live” you can and anyone watching your posts on Facebook can see you, or whatever it is you are streaming.

Sharpe made the mistake of using his phone to record the fight and stream it live through Facebook Live. While he was live streaming the fight, Sharpe received a call from Foxtel asking him to stop. It was reported that he said he couldn’t, because he has 70,000+ people watching it, which was exactly Foxtel’s point. While Sharpe was allowing a bundle of people to watch the fight for free, Foxtel and all those Sports Bars out there were losing revenue.

When Sharpe refused to stop the streaming, Foxtel immediately suspended his subscription, himself and his followers missing the rest of the fight.

Sharpe did what he did on purpose, and continued after receiving notice of infringement. You should also be aware of the risk of accidental infringement. You might have seen some television shows blur posters, signs, t-shirt branding and other images. It is usually because what has been blurred is protected by copyright and the producer didn’t get permission. It is easy to blur a background image when you have the ability to edit, but not in live streaming. If you infringe someone’s copyright, even accidentally, there can be consequences you didn’t anticipate.

Originally Foxtel claimed that it would pursue legal action against Mr. Sharpe for breaching copyright. Luckily for Mr. Sharpe, that legal action was dropped after he posted a carefully worded public apology on his Facebook page. It is unclear what conversations occurred between Foxtel and Facebook. Given that Mr. Sharpe was able to so easily live stream the fight from his Facebook page, it raises the question –

Should Facebook be responsible for copyright infringement?

Probably not.

One side of the argument is that Facebook should be more responsible for what users post as it has the ability to police the content on its website and act quickly to disable infringing material. On the other hand it is costly and time-consuming to monitor the Facebook page of over 1 billion users. Facebook terms and conditions do require all users to have permission to use the content they upload, whether written, audio, video, or as is now available, through live streaming.

United States legislation requires online service providers, such as Facebook, to take action against copyright infringement. The Digital Millennium Copyright Act (“DCMA”) exempts online service provides from liability for copyright infringement by its users in certain situations. There is no Australian equivalent. The exemption requires online service providers to take down, remove or disable access to infringing material where it is given notice that offending material has been posted on its network. It is clearly working. Facebook’s copyright policy provides rights holders with an easy mechanism to give notice to Facebook that intellectual property have been infringed and have the offending material removed or have a user’s profile disabled.

Facebook Live copyright infringement

Can Facebook be over zealous in taking down infringing content?

Has the DCMA and its safe harbours caused Facebook to be over zealous when taking down material and disabling profiles?

Facebook page administrators are given no warning that the page would be shut down. Anybody with an email address, real or fake, can make a complaint to Facebook without having to validate the claim, effectively giving anyone the ability to shutter any page without proof.

Facebook has suffered criticism in the past (Huffington Post) for shutting down pages where copyright has been alleged, when in fact no copyright infringement existed. The above extract of Facebook terms shows the ‘hands off’ approach taken by the company after Facebook has removed content. What is worse, is when a business page is removed without warning, taking potential customers and contacts with it. In late 2017 a Queensland client had their page removed and received email notification from Facebook referring them to the company that lodged the complaint.

Hello,

We’ve removed or disabled access to the following content that you posted on Facebook because a third party reported that the content infringes or otherwise violates their trademark rights:

Page: ###

Facebook is not in a position to adjudicate disputes between third parties. If you believe that this content should not have been removed from Facebook, you can contact the complaining party directly to resolve your issue:

Notice #: ###

Contact Information
Rights Owner: ## Inc.
Email: ##
Trademark: ##

If an agreement is reached to restore the reported content, please have the complaining party email us with their consent and include the original reference number. We will not be able to restore this content to Facebook unless we receive explicit notice of consent from the complaining party. Please note that the complaining party is not required to respond to your request.

We strongly encourage you to review the content you have posted to Facebook to make sure that you have not posted any other infringing content, as it is our policy to terminate the accounts of repeat infringers when appropriate.

For more information about intellectual property, please visit our Help Center at https://www.facebook.com/help/370657876338359/.

The Facebook Team

In this instance, the rights holder had a trade mark registered in the United States. Intellectual property rights are not granted worldwide. The Queensland company had the same trade mark registration pending in Australia. Facebook appears to be very U.S.- centric in how it reviews rights. The help centre information suggested that an appeal process would be available, but then failed to respond to any communication.

Facebook-content-take-down

Facebook’s aggressive stance on copyright and trade mark infringement may hinder the impact of genuine rights holders. Where someone in the United States and Australia have the same trademark in respect of similar goods, both are equally as enforceable as each other in their respective territories.

Facebook has put the onus back on rights holders to work the details of the infringement out for themselves. Their copyright policy states that users can follow up (by email) with the person who alleges the infringement. It also provides guidance on how to file an appeal if the content was removed due to a take down notice under the DMCA.

Facebook’s policy surrounding two legitimate rights holders is not clear but it appears they are acting cautiously. It may be the case that whoever gets in first to lodge infringement with Facebook may be the winner.

However, in the case of live streaming, Facebook’s response time might simply not be quick enough to protect their interests and alternate avenues will have to be explored.

How can Onyx Legal help you?

If you have any questions about copyright or trade marks, make an appointment to find out how we can help.

Make an Appointment

Delay in Action for Defamation Could Affect Your Claim

Delay in Action for Defamation Could Affect Your Claim

by | May 22, 2017 | Law for Online Business, Privacy, Video

Delay in Action for Defamation Could Affect Your Claim

You need to be quick if you are worried about being defamed. 

A couple of quick tips today that have come out of our work.

We had an inquiry about defamation. Now, if you are going to get upset about what somebody says about you, you need to take action quickly.

The person who spoke to us was concerned about something that was said back about six months before their call. It may be too late to take action. It may be implied that the defamatory statements were not that serious because the complainant knew about them for a long time and didn’t complain or take action earlier.

On the other hand, it should also be possible in that length of time to work out whether or not the complainant has actually suffered any damage to their reputation and it may be possible that a culmination of repeated publications over that length of time start to have a negative impact on the complainant so that action to stop defamation does become necessary. 

We’ll have to look at the enquiry we have received more carefully before deciding how to proceed, but if someone is going to defame you, you need to take action. You need to decide what you’re going to do quickly. Don’t sit on it.

So your tip for today, if you feel you’ve been defamed, do something about it now. 

How can Onyx Legal help you?

If you are concerned that you have been defamed on social media, or you are managing a social media group and have received a request to remove defamatory material, make an appointment so we can let you know what steps to take next.

Make an Appointment