display:none
What is a Mandatory Data Breach Notification for Privacy? – FAQs

What is a Mandatory Data Breach Notification for Privacy? – FAQs

by | Jun 18, 2017 | Law for Online Business, Legal, Privacy

What is a Mandatory Data Breach Notification for Privacy? – FAQs

Do mandatory data breach notifications apply to you?

 

If you are in Australia and collect personal information from clients, customers, suppliers, partners or anyone else for that matter, then maybe they do.  But a compliance perspective, these laws don’t affect you unless you are already required to comply with Australian Privacy law. Which means, you must comply if:

  • you operate a public, private or not for profit organisation with more than $3m turnover per year
  • you are a health service provider (not just doctors, this can include gyms, childcare centres, life coaches and schools), regardless of turnover
  • you are part of a federal government agency
  • you are part of a credit reporting agency
  • your business buys or sells personal information

What are mandatory data breach notifications about?

Data breach falls within Australian privacy laws and is all about cyber security.

The objective of the new law is to give individuals (those who care) confidence that their privacy is being protected. The laws apply regardless of technology, and encourage transparency and accountability.

What does it mean if you have an eligible data breach?

Mandatory data breach notifications only related to personal information. Personal information is defined in the Privacy Act as:

Personal information is –

information or an opinion about an identified individual, or an individual who is reasonably identifiable:

– whether the information or opinion is true or not; and– whether the information or opinion is recorded in a material form or not.

So if your business is hacked and you lose commercial information, that is irrelevant to this law.

The key components of a data breach are:

  • it involves personal information
  • it does not have to be bulk data, personal information about one person may be enough
  • the data has been accessed or disclosed
  • the data has been lost in circumstances where it is likely to be accessed or disclosed (like when NASA employees left a laptop containing access codes to the space station in a cab…)
  • there is a likely risk of serious harm to the people who have had their personal information accessed, disclosed or lost

What does ‘Serious Harm’ mean for a data breach?

Serious harm is a broad concept including physical, psychological, emotional, economic, financial or reputational harm (like when Ashley Madison got hacked and all those people cheating on their partners risked being exposed…)

What is serious harm is likely to be different for each organisation and probably associated with the reason why data has been collected. Customers of a financial institution might risk economic loss, and customers of a medical clinic might risk psychological, emotional or reputation damage.

Think about what is important to your customers, or the people who’s personal information and data you collect.

What should you have in place to handle mandatory data breach notifications?

Not surprisingly, a large proportion of small businesses have adhoc systems in place and no real understanding of what they collect, or how they control their data. This is particularly the case when using third party systems that also store data, like Eventbrite.

IT, management and communications teams will need to work together for data breach notifications.

The top 10 things to consider are:

  1. Every organisation covered by these laws should have a clear understanding of how their data is collected, stored and used and the vulnerabilities of those systems.
  2. Identify ‘who’ in the organisation is responsible for managing data.
  3. Identify the likelihood and consequence of an eligible data breach.
  4. Put in place staff training and security measures to reduce the chance of an eligible data breach.
  5. Understand what ‘serious harm’ could arise if there was a breach.
  6. Work out what would need to happen to avoid ‘serious harm’ and how quickly that could be implemented if there was a breach.
  7. Put in place a recovery plan in case of a breach.
  8. Put in place a communications plan that includes (as a minimum) the communication to those affected, a press release to reduce reputational damage, and the notification to the Privacy Commissioner.
  9. Check the business cyber insurance to see that it covers data breaches and the consequences.
  10. Test a data breach scenario to ensure your business has the ability to manage an eligible data breach.

And lastly…

Remember that data breach laws are technology neutral.

Just because you still operate with a largely paper based system does not mean that this law will not apply.

As someone pointed out to me, most filing cabinets can be unlocked with a paperclip.

How can Onyx Legal help you?

If you need help identifying risks to disclosure of personal information in your business and procedures to manage those risks, or need support developing policies and procedures for managing personal information, then make an appointment to find out how we can help you.

Make an Appointment

Is the Law Black and White?

Is the Law Black and White?

by | Jun 15, 2017 | Law for Online Business, Video

Is the Law Black and White?

No, the law is not black and white

I’m on the road today in between meetings and just thought I’d share something with you. I’ve heard again this morning that law is very black and white.

Actually, it’s not. If it was black and white we wouldn’t need lawyers, we wouldn’t need courts to argue over what something means.

There’s a joke going around that if you give a sentence to six lawyers and ask them to tell you what it means, you’ll get six different meanings. It’s true. So, don’t assume that law is black and white.

Yes, we try and get clear, concise decisions by putting together contracts, and agreements, and stuff like that, but if things weren’t subject to interpretation, we wouldn’t have courts and we wouldn’t have a whole bunch of lawyers that we do today. So, no, law is not black and white. It’s all shades of grey and it is subject to interpretation.

One thing I say to people is, if you’re going to get into a dispute, if you think court is the answer, you have never got better than a 50/50 chance of winning.

I’ve been involved in cases which we thought we were dead set going to win, and we’ve lost. I’ve been involved in cases where we just thought we were going to lose and we’ve won.

There’s so many things that it’s subject to on the day, or on the days of court, that you can’t predict what the decision is going to be. So don’t think law and courts are the only way, and you’re going to get justice or it’s going to turn out your way.

You can’t make those assumptions. You’ve got to look at the cost, and the time, and everything else involved. So, please keep that in mind. 

How can Onyx Legal help you?

If you’d like to resolve a dispute without having to go to court and need a hand with your negotiation, Talk to one of our team to find out how we can best support you in getting to a result you can live with now, so that you can get on with business.

Make an Appointment

Should you Register a Trade Mark?

Should you Register a Trade Mark?

by | Jun 4, 2017 | Law for Online Business, Trademark, Video

Should you Register a Trade Mark?

Knowing When to Register a Trade Mark 

(In Australia we write ‘trade mark’ as two words, in the US its ‘trademark’).

I’ve just been at a Angel Investor and Entrepreneur breakfast. One of the things we were talking about this morning was branding and looking at how to use your branding and how you might leverage your business and change the direction of your business in the future. So, whether or not you actually want to register trade marks now, what trade marks are worth registering? All of those sorts of questions came up.

One of the considerations that you can give before making a decision to register a trade mark or not is:

Where is the value in my business?

So, if the value is in the trade mark, then it’s worth registering. If the value is in some other aspect of the business, maybe you want to invest your money more in that first before you register a trade mark. Just something to think about. For more detail have a look at our guest post on Problogger.com about registering a trademark without hiccups

Also, remember that not all things are capable of being registered as trade marks.

General descriptions and place names can’t be registered. We had a client once who said, “Hey, I want to register this trademark and it’s just been rejected by the trademark office. Can you tell me why?” The reason their application was rejected was because they wanted to register something like “Auto Sales, Brisbane“. It’s too generic. There’s no way you’re going to get that registered as a trade mark, because too many people in the same industry need to be able to use those words in that kind of order.

So just remember that not everything is capable of being registered as a trade mark and trade mark registration, although important, may not be your top priority right now.

How can Onyx Legal help you?

We can help you get your trade mark registered. We will help you identify the right classes and descriptions to protect your business and manage the process until your registration certificate comes through.

Make an Appointment

Avoid copyright infringement with Facebook Live

Avoid copyright infringement with Facebook Live

by | May 30, 2017 | Copyright, Law for Online Business, Legal

Avoid copyright infringement with Facebook Live

On 3 February 2017, Australian television broadcaster Foxtel televised a highly anticipated boxing match between two well-known boxers, Danny Green and Anthony Mundine. To watch the fight, viewers were required to subscribe through Foxtel and pay a fee to watch the fight live on TV.

copyright fair use in Australia
Australian resident Darren Sharpe was a genuine Foxtel subscriber who paid the required fee to watch the fight live. For those who aren’t exactly sure what live streaming is, it’s the ability to broadcast audio and video as it happens. Any time you want to “go live” you can and anyone watching your posts on Facebook can see you, or whatever it is you are streaming.

Sharpe made the mistake of using his phone to record the fight and stream it live through Facebook Live. While he was live streaming the fight, Sharpe received a call from Foxtel asking him to stop. It was reported that he said he couldn’t, because he has 70,000+ people watching it, which was exactly Foxtel’s point. While Sharpe was allowing a bundle of people to watch the fight for free, Foxtel and all those Sports Bars out there were losing revenue.

When Sharpe refused to stop the streaming, Foxtel immediately suspended his subscription, himself and his followers missing the rest of the fight.

Sharpe did what he did on purpose, and continued after receiving notice of infringement. You should also be aware of the risk of accidental infringement. You might have seen some television shows blur posters, signs, t-shirt branding and other images. It is usually because what has been blurred is protected by copyright and the producer didn’t get permission. It is easy to blur a background image when you have the ability to edit, but not in live streaming. If you infringe someone’s copyright, even accidentally, there can be consequences you didn’t anticipate.

Originally Foxtel claimed that it would pursue legal action against Mr. Sharpe for breaching copyright. Luckily for Mr. Sharpe, that legal action was dropped after he posted a carefully worded public apology on his Facebook page. It is unclear what conversations occurred between Foxtel and Facebook. Given that Mr. Sharpe was able to so easily live stream the fight from his Facebook page, it raises the question –

Should Facebook be responsible for copyright infringement?

Probably not.

One side of the argument is that Facebook should be more responsible for what users post as it has the ability to police the content on its website and act quickly to disable infringing material. On the other hand it is costly and time-consuming to monitor the Facebook page of over 1 billion users. Facebook terms and conditions do require all users to have permission to use the content they upload, whether written, audio, video, or as is now available, through live streaming.

United States legislation requires online service providers, such as Facebook, to take action against copyright infringement. The Digital Millennium Copyright Act (“DCMA”) exempts online service provides from liability for copyright infringement by its users in certain situations. There is no Australian equivalent. The exemption requires online service providers to take down, remove or disable access to infringing material where it is given notice that offending material has been posted on its network. It is clearly working. Facebook’s copyright policy provides rights holders with an easy mechanism to give notice to Facebook that intellectual property have been infringed and have the offending material removed or have a user’s profile disabled.

Facebook Live copyright infringement

Can Facebook be over zealous in taking down infringing content?

Has the DCMA and its safe harbours caused Facebook to be over zealous when taking down material and disabling profiles?

Facebook page administrators are given no warning that the page would be shut down. Anybody with an email address, real or fake, can make a complaint to Facebook without having to validate the claim, effectively giving anyone the ability to shutter any page without proof.

Facebook has suffered criticism in the past (Huffington Post) for shutting down pages where copyright has been alleged, when in fact no copyright infringement existed. The above extract of Facebook terms shows the ‘hands off’ approach taken by the company after Facebook has removed content. What is worse, is when a business page is removed without warning, taking potential customers and contacts with it. In late 2017 a Queensland client had their page removed and received email notification from Facebook referring them to the company that lodged the complaint.

Hello,

We’ve removed or disabled access to the following content that you posted on Facebook because a third party reported that the content infringes or otherwise violates their trademark rights:

Page: ###

Facebook is not in a position to adjudicate disputes between third parties. If you believe that this content should not have been removed from Facebook, you can contact the complaining party directly to resolve your issue:

Notice #: ###

Contact Information
Rights Owner: ## Inc.
Email: ##
Trademark: ##

If an agreement is reached to restore the reported content, please have the complaining party email us with their consent and include the original reference number. We will not be able to restore this content to Facebook unless we receive explicit notice of consent from the complaining party. Please note that the complaining party is not required to respond to your request.

We strongly encourage you to review the content you have posted to Facebook to make sure that you have not posted any other infringing content, as it is our policy to terminate the accounts of repeat infringers when appropriate.

For more information about intellectual property, please visit our Help Center at https://www.facebook.com/help/370657876338359/.

The Facebook Team

In this instance, the rights holder had a trade mark registered in the United States. Intellectual property rights are not granted worldwide. The Queensland company had the same trade mark registration pending in Australia. Facebook appears to be very U.S.- centric in how it reviews rights. The help centre information suggested that an appeal process would be available, but then failed to respond to any communication.

Facebook-content-take-down

Facebook’s aggressive stance on copyright and trade mark infringement may hinder the impact of genuine rights holders. Where someone in the United States and Australia have the same trademark in respect of similar goods, both are equally as enforceable as each other in their respective territories.

Facebook has put the onus back on rights holders to work the details of the infringement out for themselves. Their copyright policy states that users can follow up (by email) with the person who alleges the infringement. It also provides guidance on how to file an appeal if the content was removed due to a take down notice under the DMCA.

Facebook’s policy surrounding two legitimate rights holders is not clear but it appears they are acting cautiously. It may be the case that whoever gets in first to lodge infringement with Facebook may be the winner.

However, in the case of live streaming, Facebook’s response time might simply not be quick enough to protect their interests and alternate avenues will have to be explored.

How can Onyx Legal help you?

If you have any questions about copyright or trade marks, make an appointment to find out how we can help.

Make an Appointment

Delay in Action for Defamation Could Affect Your Claim

Delay in Action for Defamation Could Affect Your Claim

by | May 22, 2017 | Law for Online Business, Privacy, Video

Delay in Action for Defamation Could Affect Your Claim

You need to be quick if you are worried about being defamed. 

A couple of quick tips today that have come out of our work.

We had an inquiry about defamation. Now, if you are going to get upset about what somebody says about you, you need to take action quickly.

The person who spoke to us was concerned about something that was said back about six months before their call. It may be too late to take action. It may be implied that the defamatory statements were not that serious because the complainant knew about them for a long time and didn’t complain or take action earlier.

On the other hand, it should also be possible in that length of time to work out whether or not the complainant has actually suffered any damage to their reputation and it may be possible that a culmination of repeated publications over that length of time start to have a negative impact on the complainant so that action to stop defamation does become necessary. 

We’ll have to look at the enquiry we have received more carefully before deciding how to proceed, but if someone is going to defame you, you need to take action. You need to decide what you’re going to do quickly. Don’t sit on it.

So your tip for today, if you feel you’ve been defamed, do something about it now. 

How can Onyx Legal help you?

If you are concerned that you have been defamed on social media, or you are managing a social media group and have received a request to remove defamatory material, make an appointment so we can let you know what steps to take next.

Make an Appointment

Australian Standard Contracts Need Updating

Australian Standard Contracts Need Updating

by | May 14, 2017 | Contracts, Law for Online Business, Legal, Service Agreements

Australian Standard Contracts Need Updating

Do your eyes glaze over when presented with a written contract for review? Do your hit the ‘I agree’ button and hope the contract terms are fairly standard? You are not the only one. A survey by The Guardian back in 2011 identified that only about 7% of consumers read terms and conditions before agreeing to them.

If so few people read contracts, then why should you bother to get your Australian Standard Contracts reviewed or updated?

Quick Answer: Update your contracts to avoid $100,000 in penalties and corrective advertising costs –

  • in April 2016 Europcar was ordered to pay $100,000 in penalties to ACCC and spend more in corrective advertising
  • in December 2016 Valve Corporation (online gaming) was ordered to pay penalties of $3 million to ACCC, publish corrective information and implement compliance programs

…Not to mention avoiding having to deal with customer complaints and potentially being sued.

Its also a good opportunity to have your contracts converted to plain English and presented in a language that makes sense to both you, and your customers. I’ve had clients give feedback that their customers have been impressed with how easy it is to understand their contracts. The Virgin brand has done it for years – using real language to help people manage the legal issues instead of exhausting customers with legalese.

But getting back to Unfair Contract Terms….

If you work B2B and use standard form contracts, you’re business now falls within the Australian Consumer Law. If your business customers have less than 20 employees, or the face value of the contract is less than $300,000, then you have to comply. Companies with more employees and higher transaction values are expected to get legal advice on their contracts as a matter of course. Its considered sensible business practice. Interestingly, there are still a lot of businesses who wait until the sh*t hits the fan before they ask for help, and by that stage, its a whole lot more expensive to manage.

So, what are the key areas of your standard contracts that need review?

The courts look at a variety of different things but some of the most frequently considered –

  • whether the terms are negotiable or just ‘take it or leave it’ (click wrap agreements for software are ‘take it or leave it’ contracts)
  • if the contract was prepared by one party before any discussion between the parties
  • who has all or most of the bargaining power
  • the effect of an offending term on the rights of the affected party
  • the actual risk or damage to the contract writer
  • whether the terms of the contract are altered to take into account the specific characteristics of the other party or the particular transaction.

The Europcar case focused on the disproportionate liability to the person hiring a vehicle. In that case Europcar attempted to hold a hirer responsible whether or not they were at fault. Europcar also required the hirer to pay a damage liability fee of $3650 regardless of the actual value of damage, unless the hirer bought extra insurance. So theft of the vehicle could cost a hirer $3650, but so could a dented bumper. The court decided in that case that the contract terms were not reasonably necessary to protect the legitimate interests of Europcar, as well as being disproportionate.

It is also important that standard contract terms are ‘transparent’. This means your contracts need to be –

  • expressed in reasonably plain language
  • legible
  • presented clearly
  • readily available to any party affected before they buy

Some common contract terms that will need review are:

  • clauses that give one party the right to make changes, but not the other – like software agreements that allow the software provider to increase fees automatically
  • clauses that roll over automatically, regardless of the customers wishes
  • clauses that make it hard or impossible for one party to terminate or get out of the agreement
  • clauses that require a buyer to forfeit there deposit, even if you cannot supply the product or service
  • one sided indemnity provisions
  • clauses that disclaim all liability, including negligence
  • clauses that limit the damages a buyer can claim, but don’t limit the damage the seller can claim
  • penalty provisions – like advertising agencies that want a two year agreement with no right to terminate and claim a right to charge whether or not they provide any advertising

If you are one of the 7% of people who read contracts before you agree to the terms, you might have seen some of these provisions. If you haven’t looked at your own business standard contract for a while, NOW is a great time to review and update. We generally recommend that Australian Standard Contract forms, including terms and conditions and privacy on your website or App, should be reviewed and updated at least every two years to ensure your business remains compliant and you avoid the risk of hefting fines and time consuming legal actions.

When reviewing and updating your standard contracts, consider what is most important to your business, where you have the most issues with customers and how you’d like to communicate with your existing customers and leads. We can assist you with a strategy for implementation as well as helping you review, update or refresh your legal contracts.

Book an Appointment now to request a contract review or to update or create your standard contract terms.

How can Onyx Legal help you?

We love writing contracts. Weird, we know. But hey, some people love mountain climbing, so go figure!

Make an Appointment