A recent decision by Justice Porter KC of the Brisbane District Court provides valuable insights into the procedural and evidentiary aspects of substituted service applications. The ruling underscores the importance of diligence, accuracy, and adherence to statutory requirements in handling such legal matters.


Rule 116 of the Uniform Civil Procedure Rules 1999 (Qld) (UCPR) provides that in circumstances where it is impracticable to effect service of court documents in compliance with the regulations, the court may make an order substituting another way of serving the document.


On 2 August 2023 the Applicant commenced proceedings in the District Court of Queensland against the First Defendant, Jacksolo, for alleged lease-related debts, and the Second and Third Defendants as guarantors of Jacksolo under the lease.

In attempting to effect service of these initiating court documents, the Applicant experienced extensive difficulties:

  1. Express post – a sealed copy of the claim and statement of claim sent via express post to the First Defendant’s registered office was returned marked ‘RTS’ (return to sender);
  2. Personal service attempts by the Process Server were plagued by:

    a. conflicting information about the existence of the Unit in question;
    b. uncertainty about the Second Defendant residing at the specified addressed;
    c. unsuccessful interactions with occupants;

  3. Mobile phone – no response to voice messages; and
  4. Email – no acknowledgement of emails sent to the address previously provided.

Owing to these difficulties, the Applicant sought an order for substituted service of the proceedings on all three defendants under rule 116 of the UCPR.


His Honour Porter KC found that on the whole of the evidence, and having regarding to several steps that had not been taken to locate the Defendants, no inference arose that personal service was impracticable. A corollary of this finding, his Honour was also not satisfied that the alternative methods of service proposed by the Applicant would have a sufficient prospect of bringing the claim to the Defendants’ attention.


This case serves as a valuable educational tool, highlighting the intricacies and challenges associated with substituted service applications and emphasising the need for meticulous preparation and execution.

Personal Service Not Impracticable

The court scrutinised attempts (or lack thereof), made by the Applicant to locate / verify the location of the Defendants. Specifically:

a. no motor vehicle registration search was undertaken in respect of an Audi which was alleged to link the Second Defendant to a residential address;

b. photographs of the Second Defendant were not provided to the Process Server, which may have facilitated identification of a resident who opened the unit door at the residential address in question;

c. on the evidence before the Court, it appeared that no electoral roll search, title search or other investigation had been made by the Applicant; and

d. Bundaberg is not a particularly large town, such that if the Second and Third Defendants remained in the area, it was likely that reasonable efforts to locate or confirm the residence of the Debtors would be successful.

Substituted Service Must Bring Proceedings to Attention of the Other Party

It is not proper to substitute service of process in a court of law when there is no belief that the service will bring the proceedings to the knowledge of the person in question.[1]

Here, there was evidence before the Court that the email address of the Third Defendant, previously provided to the Applicant in separate legal proceedings, remained functional. Notwithstanding, the Court found that it was not reasonable to infer that a person keeps up to date with messages received in their inbox:

It is notorious that an email address can become flooded with irrelevant messages to the extent where it becomes an ineffective tool of communication.

Accordingly, His Honour was not satisfied that an email sent by the Applicant to this address would come to the Defendant’s attention.

Admissibility and Reliability of Evidence

The judgment identified issues of admissibility, reliability and completeness of information, which could impact the court’s ability to make a well-informed decision:

a. certain evidence relied on by the Applicant contained information from unidentified sources. This lack of identification raised questions about the credibility and reliability of the information provided; and

b. an email exhibit relied on by the Applicant’s solicitor to sustain the relief sought was based on hearsay statements, and was “inadmissible and inherently ambiguous”.

Requirements of an Ex Parte Application

A substituted service application is an ex parte application. That imposes a particular obligation on legal practitioners to ensure admissible evidence is tendered and any submission made is reasonably open on the admissible evidence.

For legal advice on navigating such matters, contact us today.

This article was written by James Tan and Courtney Linton.

[1] Miscamble v Phillips and Hoeflich (No 2) [1936] St R Qd 272, 274.


The applicant was a woman in her early twenties, who had been a long-term employee of the respondent as an Assistant Restaurant Manager. The respondent is part of the Southern Restaurants Group, the largest private KFC franchise owner in Australia.

The applicant submitted to the Tribunal that she planned to return to work from parental leave in November 2021 with flexible work arrangements to accommodate for her breastfeeding needs. Pursuant to the Fair Work Act 1998 (Cth),[1] she requested she be provided with a private and clean room with a comfortable chair, a refrigerator in which to store expressed milk, sufficient time to express, and facilities to wash and store equipment.

The respondent provided the applicant with a pop-up tent in a back storeroom with a chair. The storeroom was a small space without a door and therefore no privacy. The applicant believed that the sound of her expressing milk was audible to other staff. A staff member could enter the storeroom at any time. The respondent submitted to the Tribunal that it could not provide a private room due to the store layout and lack of private rooms. Further, any changes to store layout would have incurred to the respondent significant costs.

Due to the unsatisfactory work environment, the applicant began to leave site to express her milk at a local mall during unpaid meal breaks, but only when there was another manager on site. The respondent submitted that it could not permit the applicant to leave the store when she was operating in her management role, due to the policy that there must be at least one manager on site at any given time to respond to health and safety matters. It was further submitted it was too costly and inefficient to regularly ensure that there were two managers on site for the applicant’s shifts. Regularly, no other managers were present on site and therefore she could not take breaks to express milk. This caused the applicant significant pain and discomfort.

The applicant further proposed she be transferred to a nearby KFC restaurant, where more suitable facilities to express milk were available. This was initially declined by the respondent, to which it submitted would be disrupting to staff arrangements. Eventually, a transfer was agreed upon when the store could accommodate another manager, but the applicant resigned before the transfer occurred.

The applicant submitted to the Tribunal she felt ultimately “trapped and pressured to discontinue breastfeeding”[2] due to the respondent’s response to her ongoing requests and issues raised. She further submitted to the Tribunal that the respondent was ill informed regarding breastfeeding, and that the respondent had suggested that she step back to a casual role on multiple occasions to accommodate for her breastfeeding needs, which would be a demotion.


The Discrimination Act 1991 (ACT) (“Discrimination Act”) protects persons with protected attributes from direct and indirect discrimination[3] in certain areas of public life, including employment[4]. One of the protected attributes is breastfeeding.[5] Queensland offers similar protections for breastfeeding at work under the Anti-Discrimination Act 1991 (Qld).[6] The applicant alleged that she was indirectly discriminated against as per section 8(3) of the Discrimination Act.

The Tribunal referred to the case of Australian Capital Territory v Wang[7] as a framework for applying section 8 of the Discrimination Act. Under this framework and the Act, the applicant is required to establish in evidence that the respondent had been imposing, or proposing to impose, a condition or requirement that has, or is likely to have, the effect of disadvantage due to her protected attribute. If successful, the onus is then on the respondent to demonstrate that the effect of the disadvantage was not due to her protected attribute, or alternatively that the condition or requirement imposed was reasonable in the circumstances.

Was there a particular condition or requirement in the circumstances of this application?

The Tribunal found that the respondent imposes as a condition of employment upon mangers of its stores, in that they may not leave the store unless there is another manger on site, trained in work health and safety.

Was the condition imposed by the respondent?

The Tribunal found that the respondent imposed the condition upon the applicant, as a manger of one of the stores, and insisted upon her compliance. The condition was not mandated by law or any work place regulation, rather, a term of employment imposed for commercial reason. The respondent was found to have resisted variation or flexibility relating to the condition.

Was the effect of the condition to disadvantage certain people with that attribute?

The Tribunal found that the effect of this condition was disadvantageous upon employees with the attribute of breastfeeding, and that the disadvantage arose because of the imposition of the condition of the respondent, and their failure to make appropriate alternative arrangements.

The Tribunal further noted that the respondent’s submission that it let the applicant leave the store “most of the time” to express milk was not a sufficient accommodation.

Did the detriment occur because the applicant had that attribute?

The Tribunal was satisfied that that the imposition of the condition upon the applicant resulted in her ill health, arising from the workplace response, due to her attribute of breastfeeding.

Was the condition reasonable in all the circumstances?

The Tribunal was not satisfied that the condition imposed by the respondent was reasonable, nor were the alternatives suggested by the applicant unreasonable.


The Tribunal was ultimately satisfied that the applicant had been indirectly discriminated against by the respondent, on the grounds of her status as a breastfeeding mother, by imposing upon her a condition which was disadvantageous and not reasonable.

The Tribunal concluded that the respondent’s condition imposed upon managers to not leave the site was “not a reasonable response to the needs of a modern workforce”;[8] nor when applied in actual effect would achieve the outcome that the respondent sought:

“The respondent insists on the condition being enforced so that a manager trained in work health and safety would be available in an emergency, but the Tribunal questions how an employee half undressed, on a chair, in a tent could be a responsive manager in any emergency in any case.”

The Tribunal further commented on the duty of employers to appropriately accommodate for persons who are breastfeeding in the workforce:

“Catering to the needs of breastfeeding employees is not an outlandish demand. Women remaining in the workforce after giving birth has become a commonplace occurrence. In the future, there will be other employees who will wish to breastfeed their child. It is an unavoidable workplace issue which needs to be met and dealt with in an appropriate fashion.”[9]

The matter was listed for further direction.


If you feel like you have been discriminated against in the workplace, please contact us on (07) 3252 0011 to book a consultation with one of our employment team today.

This article was written  by Luke Borgert  and Sarah Gates

[1] Fair Work Act 1998 (Cth) s 65.

[2] Complainant 202258 v Southern Restaurants (Vic) Pty Ltd (Discrimination) [2003] ACAT 57, 12.

[3] Discrimination Act 2011 (ACT) s 8.

[4] Discrimination Act 2011 (ACT) s 10.

[5] Discrimination Act 2011 (ACT) s 7(1)(d).

[6] See s 7, 9 and 15.

[7] Australian Capital Territory v Wang [2019] ACAT 65.

[8] Complainant 202258 v Southern Restaurants (Vic) Pty Ltd (Discrimination) [2003] ACAT 57, 36.

[9] Ibid, 36.

Borrowing Dulls the Edge of Friendships

Case Note: Richardson v Wagner [2021] QDC 24

In the immortal words of William Shakespeare’s ‘Hamlet’: “Neither a borrower nor a lender be; For loan oft loses both itself and friend, and borrowing dulls the edge of Husbandry”[1]Put simply – loans and relationships often do not mix well. This principle was clearly on display in a recent decision of The Queensland District Court – Justice Barlow forced to make a difficult decision on whether a lender or guarantor, both seemingly blameless in the situation, should bear the detriment of incurring the defaulted debt of a now bankrupt defendant.



The plaintiff, Mr Richardson, over the course of a number of short loans since 2014, had loaned various sums of money to JDP Applications Pty Ltd (JDPA – the first defendant) – a company owned and solely directed by childhood friend and second defendant, Jason Wagner. Between 5th July and 4th November 2016, Mr Richardson lent JDPA money totalling $100,000 at 5% interest per month.

On 9 November 2016, this principal amount of $100,000 was increased by an additional $50,000 to $150,000, and the deadline on the original $100,000 extended by 3-4 months – on the provision that the third defendant, Lesleigh Wagner (Jason’s mother), guaranteed the entire loan. Mrs Wagner signed the guarantee, and Mr Richardson transferred the remaining $50,000.

JDPA later went into liquidation and Mr. Wagner went bankrupt. Mr Richardson thus sought to enforce the guarantee for $150,000 plus interest against Mrs Wagner.


The Issues

The primary issue Justice Barlow had to determine was whether to enforce the guarantee against Mrs Wagner, or allow Mr Richardson to suffer the loss.

A secondary issue derived from whether JDPA’s prior repayments to Mr Richardson were to be apportioned to the principle or the interest. Since the loans calculated interest as a percentage of the principle, reductions in the principle would decrease the interest payable at a faster rate.


A ‘Guarantee’?

Despite the existence of a document which resembled a guarantee, the defendant firstly argued that she should not be bound by the document as it either was not, could not be inferred to be, or was too uncertain in its terms to be, a guarantee[2]. She argued the document was instead only an “acknowledgement of debt or consideration that had already passed”[3], and not the defendant’s contract of promise[4].

Justice Barlow, however, found the document was clear in defining the terms of the loan: an intentional joint offer by the named signatories (Mr and Mrs Wagner) to guarantee JDPA’s entire loan in exchange for Mr Richardson increasing the loan to $150,000 and providing the 3-4 month extension. An explicit clause indicated that the loan would be guaranteed by the signatories. Justice Barlow indicated that upon the signature and delivery of the document to Mr Richardson, both Mr and Mrs Wagner had clearly intended to offer personal guarantees of the debt’s repayment[5], and that the document “cannot sensibly be construed any other way”[6]. To suggest differently would be to adopt a “Humpty Dumpty” method of giving words meanings they do not have, and Justice Barlow refused to partake in it[7]. The argument was rejected.


No Consideration?

The defendant further argued that despite its potential guarantee status the document was contractually unenforceable as no fresh consideration was exchanged[8]. This argument was also rejected.

Justice Barlow stated that despite Mr Richardson not receiving any direct personal benefit from the guarantee, Mr Richardson provided consideration by lending money to his own detriment on the promise of the guarantee[9]. His transfer of the final $50,000[10], and 3-4 month extension[11], was deemed ample fresh consideration.

Upon considering the case’s circumstances, Justice Barlow found valuable consideration had also passed from Mrs Wagner. The evidence showed that Mrs Wagner was aware of the what the guarantee document was, understood its significance as being legally binding on her, and sent it away with Mr Wagner – in effect asking Mr Richardson to lend money and in exchange offering to guarantee the debt[12].


A Limited Guarantee?

The third argument outlined that the guarantee was only for the additional $50,000 – not the full $150,000 plus interest[13]. However, Justice Barlow indicated that the guarantee clearly stipulated that it was for the entirety of the $150,000 loan at 5% per month – not simply the $50,000 additionally invested[14].

A similar defence argument suggested that the guarantee was only valid for the 3-4 month extension period, and during this period JDPA did not default nor did Mr Richardson call on JDPA or the guarantors to pay the outstanding debt[15]. Justice Barlow however outlined Mr Richardson could call upon Mr and Mrs Wagner as guarantors at any time after a default by JDPA, and the guarantee did not limit this time. He stated that if a debtor is required to pay money at a certain time, “it would be a nonsense to hold that the guarantor, if not called upon to fulfil those obligations within the very same time, would be free of the guarantee”[16]. This is because the guarantor is only liable after the debtor’s default, and default might only occur at the end of the period the contract specifies[17].



The defence argued unconscionability across two grounds.

The defence, relying on Commercial Bank of Australian Ltd v Amadio[18],  firstly insisted it would be unconscionable to allow Mr Richardson to enforce the guarantee. They argued at the time of contracting Mrs Wagner had a ‘special disadvantage’ by nature of her age, a close relationship with “full trust and faith” in her son (Mr Wagner) in matters relating to JDPA’s business[19], and the nature of the loan’s unusually high interest rate. They continued that Mr Richardson would be taking unfair advantage of her if he did not actively make enquiries about her ability to repay the loan[20].

Justice Barlow; however, concluded that Mr Richardson lacked the “predatory state of mind” required for equitable intervention and denial of the guarantee’s benefits[21]. He outlined there was nothing that would have awakened him to the likelihood of any such disadvantage, and further reinforced that “constructive notice has no part to play in the doctrine of unconscionability”[22]. He added that even if such disadvantage existed, nothing suggested Mr Richardson was wilfully blind by not inquiring about it[23].

Secondly, the defence argued that Mr Richardson, on applying Amadio[24]had duties to disclose JDPA’s financial positions regarding the previous loans accumulating $100,000 to Mrs Wagner before she signed the guarantee. They reasoned that Mr Richardson had information of JDPA’s financial circumstances that showed it as different from what Mrs Wagner would ‘naturally expect’[25], and hence he should have disclosed this information. In considering this argument, Justice Barlow distinguished the case from Amadio[26], indicating a lender’s disclosure obligations are only confined to circumstances where there are some unexpected facts or unusual features” in the case[27]. Since the prior loans between Mr Richardson and JDPA contained no extraordinary elements (despite the unusually high interest rate that Mrs Wagner was already aware of), Mr Richardson had no disclosure obligations.


Principal or Interest?

Justice Barlow held each repayment made prior to 9 November 2016 (when it was agreed that a further $50,000 would be added) was payment only of interest. He utilised Clayton’s Case[28]  – the general presumption applied by the High Court being that “payments made in reduction of a debt are intended to be applied consecutively in discharge of the items making up the debt”[29]. Whilst accepting that any deviation to this rule required explicit communication between the parties[30], His Honour found that Mr Wagner had explicitly assigned the payments to interest (the bank statements showed that the repayments were labelled as “interest”), had exchanged text messages that indicated the repayments were for interest, and had impliedly authorised Mr Richardson to decide himself where to apply the payments (Mr Richardson applied them to interest).


The Judgement

Justice Barlow found Mrs Wagner as liable to Mr Richardson as guarantor of the debt – awarding Mr Richardson $195,609.17.


Lessons regarding loans for future business

There are some valuable lessons to be learnt from the Wagners’ case:

    1. Seek legal advice when drafting the terms of your contract agreement as ambiguity as to the terms can lead to lengthy and costly litigation;
    2. It is important to make appropriate inquiries into the financial position of any personal guarantor as their guarantee certainly loses value should they become bankrupt;
    3. Be clear and direct in assigning the aspect of the loan you wish for the repayments to go towards (i.e. principal or interest);
    4. Be wary of signing a personal guarantee. While you may certainly trust that you will not be relied upon to enforce the debt; should you understand that what you are signing is legally binding then the court is likely to enforce the guarantee.

This article was written by Luke Borgert & Jackson Litzow (student placement).



[1] W Shakespeare, Hamlet, Act 1, scene III. Polonius speaking to Laertes.

[2] Richardson v Wagner [2021] QDC 24 (‘Richardson v Wagner’), [15a].

[3] Ibid [21].

[4] Ibid [20].

[5] Ibid [22].

[6] Ibid [15b].

[7] Ibid [27].

[8] Ibid [33].

[9] Ibid [34].

[10] Ibid [31].

[11] Ibid [15c].

[12] Ibid [37].

[13] Ibid [15d], 50.

[14] Ibid [41]-[42].

[15] (1893) 151 CLR 447.

[16] Richardson v Wagner (n 2) [49].

[17] Ibid [15e].

[18] Ibid [52]; Kakavas v Crown Melbourne Ltd (2013) 250 CLR 392, [161].

[19] Richardson v Wagner (n 2) [53].

[20] Ibid [54].

[21] (1983) 151 CLR 447 (‘Amadio’).

[22] Ibid 457; Richardson v Wagner (n 2) [44].

[23] Amadio (n 24).

[24] Behan v Obelon Pty Ltd [1984] 2 NSWLR 637, 638E.

[25] Devaynes v Noble (1816) 1 Mer 571, 35 ER 781 (‘Clayton’s Case’).

[26] Sibbles v Highfern Pty Ltd (1987) 164 CLR 214, 222.

[27] Richardson v Wagner (n 2) [77].

What happens if I intentionally injure someone in order to protect myself and/or my family?


On the 14th of September 2009, in the case of Corowa v Winner & Anor [2019] QDC 135, 

Winner assaulted Isaiah Corowa in order to protect his fiancée and grandmother from being physically and verbally abused. Winner deliberately drove his vehicle at Isaiah Corowa and consequently drove over Corowa’s right foot, which lead to hospitalization and Corowa suffering four separate injuries to his foot, listed as follows:  

    • A severe crush injury to the right foot resulting in an extensive soft tissue degloving injury requiring extensive plastic surgery and skin grafts. 
    • A fractured dislocation right mid-foot region was treated surgically with multiple joint arthrodesis or fusion.  
    • An avulsion fracture of the medium aspect of the right navicular and  
    • A fracture of the base of the right fifth metatarsal bone 

The plaintiff sought compensation from the insurer for the injuries he suffered. The case was taken to court ten years after the incident and unfortunately, Winner had deceased before the hearing.  


Differing witness accounts 

During the court hearing, six people, including Corowa, gave their recollections of the events from the 14th of September 2009. This was almost ten years before the court hearing proceeded in 2019. As Winner had deceased, his statement from 2009 was used as his recollection. Among these seven accounts, there were several discrepancies and contradicting recollections put forward. Ultimately, the judge decided not to accept the recollection of events put forward by Corowa or his two friends who were with him on the 14th. 

Several factors led to this decision, including that: 

    • Corowa’s statement in 2009 and his statement in court had substantial differences and numerous contradictions. 
    • Corowa had a significant history of drug use. 
    • Corowa had a prior criminal history involving numerous convictions for dishonesty and violence.  

Recollections given by Winner’s fiancée (Erin) and grandmother (Joy) were accepted as the most accurate recall of events and many of the decisions made were based on their statements as evidence.  

While these statements also had some differences, Erin and Joy no longer had an interest in protecting Winner (as he was now deceased) and any differences in the recollections could be linked with the trauma of that day and the substantial lapse of time after the incident occurred. 

Furthermore, Erin and Joy’s statements were also consistent with the neighbour who was accepted as an independent witness and viewed as giving honest and reliable evidence. 

So, what happened on the 14th of September 2009? 

The version of events accepted are summarized as: 

    • On the 14th of September 2009, Winner reversed out of his driveway as Corowa and two of his friends walked down from a nearby house.  
    • Winner either almost hit them by accident or came near enough that they felt he was close to hitting them.  
    • This provoked Corowa and his friends, causing them to abruptly hit the car and abuse Winner, who in turn abused them back.  

These events would later lead to the final act of conflict between Corowa and Winner which led to Corowa’s foot injury. 

    • Later that day, Winner encountered the three men again while driving past some shops. The three men threw an object (likely to be a bottle) at the car and damaged Winner’s vehicle.  
    • The men later returned to Winner’s home. 
    • At that stage, Joy was putting the bins out on the footpath with the assistance of Erin.  
    • She noticed the men arriving from the back of the house with two pulled palings from the fence to be used as weapons. 
    • Corowa was in possession of a replica pistol which he used to advance on Joy and hit the window of the car she had managed to get inside.  
    • Winner approached the three in his car which caused Lama and Scott to retreat from the attack, however, Corowa did not.  
    • At this point, both Erin and Joy were still in danger from Corowa.  

Winner was aware that Corowa had a weapon (although he thought it was an axe) and acted to defend his fiancée and his grandmother from the attack by driving his car at Corowa and consequently running over his foot. 


Were Winner’s actions justified? 

When Winner drove his vehicle at Corowa, this was recognized as assault. The question is whether that assault by Winner was justified, which would determine the outcome of the court hearing. 

For Winner’s action to be justified, it must be viewed as a reasonable action that he carried out to protect himself, his fiancée or his grandmother from the attack. 

It was found that while Winner was in control of a significant weapon, a motor vehicle, and his actions were likely to cause harm, he was confronting three armed men and it could not be expected for him to leave nor was it practical for him to exit the car and try and fight these men by himself. 



The Judge found that Winner’s actions were reasonably necessary to protect his fiancée and his grandmother and accordingly, the defence of self-defence had been established. 

Corowa’s claim was dismissed and he was ordered to pay the insurance company’s costs.  

If you have any questions regarding personal liability or compensation where there may be self-defence of contributory negligence, please contact our office to speak with a litigation lawyer today. Call us on (07) 3252 0011 and speak with one of our client engagement team today.  

Business lessons from insufficient cybersecurity measures

The case of ASIC v RI Advice Group [2022] FCA 496

With the current online landscape and the recent 2022 Optus and Medibank cyberattacks, cybersecurity measures should be at the forefront of many businesses. The landmark cybersecurity case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 is the first of its kind to acknowledge a financial institutions contravention of the Corporations Act 2001 (Cth) (Act) for breaches of insufficient cybersecurity measures.

This case follows on from ASIC’s previous 2020 proceedings against RI Advice group (to read more about these proceedings, click here). This 2022 case study demonstrates ASICS’s regulatory role and highlights the importance of companies compliance with cybersecurity legislation.



The Defendant, RI Advice Group, was a subsidiary of the ANZ Banking Group that held an Australian Financial Services License. They had between 89-119 Authorised Representatives (ARs). These AR provide financial services on the Defendant’s behalf. Since 15 May 2018, they had at least 60,000 clients.

During the period of 15 May 2018 to 6 August 2021, the Defendants were held to have contravened sections 912A(1)(a) and (h) of the Act. Since they had failed to have documentation and controls adequate enough to manage cybersecurity risks, it was determined that the financial services the Defendants were providing was not done so efficiently, honestly and fairly.

The relevant sections of the Act are provided below:

(1) A financial services licensee must:

(a)  do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly; and

(h)  …have adequate risk management systems; …

Prior to 15 May 2018, the Defendants acknowledged that they had no documentation, controls and risk management systems that were adequate to manage cybersecurity risks. However, the Defendants were not audited for their compliance with the professional standard requirements for financial advisers.

The lack of cybersecurity measures of the Defendants were highlighted as they had no up-to date antivirus software, filtering or quarantining of emails or backup systems in place. They also had poor password practices which involved the sharing of passwords, continued use of default passwords and storage of passwords in easily accessible locations.

Between 2014 and 2020, 9 cybersecurity incidents occurred, including the hacking of email accounts, website providers, servers and reception computer. In some events notably, fraudulent emails were sent to clients requesting fund transfers and client’s personal information was compromised, held for ransom and used without authorisation.

Since early 2018 in response to some of the incidents, the Defendants undertook various security steps which included the implementation of training sessions, incident reports, professional standards, compliance auditing and engagement of external security advisory firms. However, these practices were adequately incorporated or complied with by all the Defendant’s ARs until 6 August 2021.

Since the parties had settled the matter and the Defendants admitted they were in breach and should have had more robust cybersecurity measures implemented, the Judge had to consider whether there was a proper basis for making the parties proposed declarations and orders.


Judgement Reasons

It was declared that the Defendants were in breach of sections 912A(1)(a) and (h) of the Act.

Further, under section 1101B(1) of the Act, the Defendants were ordered to establish a cyber security compliance program and continue their engagement of the external cybersecurity expert.

To be in breach of section 912A(a) of the Act, there does not need to be a dishonest act. An act or omission that fails to meet a reasonable performance of fair and efficient services is sufficient. Further, services must be provided with competence, with reference to social and commercial norms and standards. While it was held that having inadequate procedures and training is a failure to act efficiently and fairly, there was no social or commercial norm that the Defendants were in breach of.

It was also considered that since cyber risk management is a highly technical area, it requires the expertise of a relevantly skilled person. Therefore, the adequacy of risk management must be informed by people with technical expertise in the area, not the general public.

The Court believed it appropriate to make the declaration to deter future contraventions of financial services laws, notwithstanding the Defendant’s acts were careless and unintentional.

ASIC had a real interest in bringing the matter as a public regulator to ensure licensees are aware that the relevant provisions of the Act apply to the management of cybersecurity risks and the public are protected from sensitive information breaches.


Need Assistance? We can help

With criminals moving into the cyberspace to target victims, it is vital for businesses to maintain adequate and updated cybersecurity measures including security protocols and systems. Adhering to ASICS cybersecurity standards requires the consideration of an individual business’s circumstances and capacity.

Our expert team at Corney & Lind Lawyers has extensive experience in advising on the provisions of various company policies and procedures, the roles and expectations of company directors and responding to the legal ramifications of cyber security incidents. Contact our team for further assistance and tailored, informed advice or call us on (07) 3252 0011 to book an appointment with one of our Lawyers today.

This article was written by a Corney & Lind law clerk


Related Cybersecurity Articles




Three Billy Goats Gruff: Addressing the Troll under the Bridge

The proposed Social Media (Anti-Trolling) Bill 2021


Context behind Bill

The Federal Government’s proposed Social Media (Anti-Trolling) Bill 2021 has begun being drafted in Canberra largely as a response to the High Court decision of Fairfax Media Publications; Nationwide News Pty Ltd; Australian News Channel Pty Ltd v Voller [2021] HCA 27 (Voller). This landmark case saw the High Court take an orthodox approach to interpreting what it meant to “publish” material defamatory in nature. The Court ultimately ruled against the appeal of the news media outlets which shared their articles online, primarily via their Facebook social media accounts.

The primary contention of this case was whether the appellants could be liable in defamation law for the publishing of Facebook comments under Facebook posts published by the appellants. The appeal to the High Court was made on the grounds that the appellants did not make the defamatory comments available to the public, did not participate in their publication and were not in any relevant sense instrumental in their publication[1]. Crucially, the appellants contended any publication of defamatory matter required intention. This argument the Court rejected.

Ultimately, the Court held that defamatory matter published by a third-party (the third-party publisher) which is facilitated by the online pages (such as social media pages or websites) of an organisation or person (the facilitator) may make that organisation or person liable under defamation law. It was uncertain to what extent the facilitator’s knowledge of having facilitated defamatory material was required – a facilitator’s participation in the publishing is highly contextual and fact-specific.


Proposed Operation of Bill

The decision of the High Court, and the uncertainty of its effects on free speech, has prompted the drafting of the current Bill before Federal Parliament – titled the Social Media (Anti-Trolling) Bill 2021.

The Government has cited two main concerns following the Voller decision which it seek to address in the Bill:

1. To date, the reaction to the Voller decision by social media pages has seen comments disabled under posts and the general disabling of community engagement with important topics. The Bill aims to protect page owners by relieving them “as ‘publishers’ for defamatory material posted on their pages by third parties. In practice, this means a person who maintains or administers a page on a social media service will be protected from defamation liability.”[2] The aim is to ensure that social media pages are not made liable for the posting of defamatory material by another.

2. The Bill will focus on addressing mitigating harm suffered by victims of defamation. In particular, the bill will introduce two recourses available to users suffering such harm through:

a. The introduction of a complaints mechanism which will allow the victim to raise their concerns surrounding the defamatory matter with the page provider (typically, the website host such as Facebook or other social media providers) and, with consent, obtain the contact details of the original author of the defamatory matter; or

b. Through obtaining a new ‘end-user information disclosure order’ from a court.


Either option will allow the victim to obtain the contact details (those being the name, email and phone number) of the original defamatory author. This will allow victims of defamation to seek resolution more easily from those causing harm and will provide, at least from the outset, a way to identify and make accountable anonymous users.

There are further proposed provisions which address the increasing presence of social media and online platforms in legal contexts – “fit-for-purpose” provisions within the Bill aim to allow the ever-evolving technology of online services to remain within the ambit of defamation law. The Bill will also aim to require social media providers to have nominated Australian entities to facilitate the proposed mechanisms mentioned above.

No doubt, since the decision of the High Court in Voller, the Government has reconsidered the operation of defamation law and the effects it has in the online community. With an aim to provide Australians with a faster and more accessible avenue to provide reprieve of harm suffered from the publishing of defamatory matters, this Bill will change (hopefully for the better) how online media platforms and pages respond to harmful material.


Looking Forward

Broadly, discussion of this Bill and its proposed effects has been met with reservations. The general intention behind the Bill, that is, to identify “trolls” (online perpetrators), is quite easily circumvented. The use of a virtual private network (VPN) to effectively “re-locate” Australian-based online users to overseas servers, thereby appearing overseas and outside of the courts’ jurisdiction, is a legal and popular tool. The ability for online users to remain anonymous is still a factor which has, arguably, not been adequately contemplated by this proposed legislation. The Government will likely need contemplate how it wishes to tackle online anonymity – a principle that involves greater implications and requires deeper consideration.

The other issue which this Bill will likely face in opposition is how “harm” suffered by victims of trolling (not per se defamation) will be remedied. If the intention of the Bill is to address trolling, specifically where a user posts non-criminal inflammatory, digressive or provocative material, there are little options available. Whilst the Bill extends defamation law and its threshold requirement of “serious harm” to the online space, it does not allow for the remedy of harm suffered by trolling without trolling causing less than “serious harm” and harm that isn’t necessarily defamatory. If the Government wishes to address trolling as the Bill title suggests, other remedying avenues may need to be included.

Media platforms are yet to respond to the Bill and how it further regulates the online space. It should be expected that the Bill (and its interventions in platforms’ operations) will be met with opposition by these tech companies.

All considered, persons and organisations with online presences should remain vigilant in limiting their liability to adverse legal action. Internal policies such as social media and internet policies may need be reviewed, in particular, to address potential changes in defamation law and to ensure that operators and administrators of online pages are compliant with best practice. For assistance in this area, our experienced team can provide specialist and tailored advice and advocacy.

Please feel free to contact our office for the most up-to-date and relevant advice.

This article was written by Simon Mason



[1] Fairfax Media Publications Pty Ltd v Voller (2020) 380 ALR 700 at 712 [45].

[2] Attorney-General’s Department, Social Media Anti-Trolling Bill 2021: Explanatory Paper at 3

Proposed changes to the defamation act 2005 (QLD)

Defamation is commonly regarded as an imputation or assertion which would cause ordinary, reasonable members of society to think less of someone. It must be published and it must be untrue. Previously, to “publish” such an imputation or assertion required the physical printing and dissemination of a document but, with the wider reach and influence of online platforms, “publication” extends to media releases, writings, speeches, drawings, reports, advertisements and “any other thing by means of which something may be communicated to a person”.

Any cause of action for defamation, under Queensland jurisdiction, is governed by the Defamation Act 2005 (Qld)The purpose of this Act is to supplement pre-existing common law and to strike a balance between protecting the reputations of individuals and the implied freedom of expression of the general public. It also aims to facilitate dispute resolution between ‘publisher’ and ‘aggrieved’ parties. Introduced in the Queensland Parliament on 20 April 2021, the Defamation (Model Provisions) and Other Legislation Amendment Bill 2021 (Qld) proposes amendments to the Defamation Act which would further clarify and align these current objectives. Amendments, as they are proposed, most notably include:

    1. Amendments to limit the types of corporations that can sue for defamation;
    2. The introduction of the ‘serious harm element’ required as an element of the cause of action for defamation;
    3. Various amendments throughout the Act designed to ‘better facilitate’ defamation dispute resolution prior to litigation; and
    4. Changes to the roles of judicial officers and juries for various procedural matters. These proposed changes won’t be further discussed other than to say that certain defences would be determined by a jury (if there is one elected or required) and that judicial officers would be required, instead of juries, to determine whether the new ‘serious harm element’ is established.


Currently, section 9 of the Defamation Act excludes certain corporations from having a cause of action for defamation. These ‘excluded corporations’ include corporations which are ‘related’ to other corporations. The Bill proposes to further restrict the types of corporations that can sue for defamation to replace ‘related’ corporations with corporations that are ‘associated entities’ of other corporations. The term ‘associated entities’ is defined by section 50AAA of the Corporations Act 2001 (Cth). Briefly, an entity (the associate) is an associated entity of another entity (the principal) if:

    1. The associate controls the principal and the operations, resources or affairs of the principal are material to the associate; or
    2. The associate has a qualifying investment in the principal, the associate has significant influence over the principal and the interest is material to the associate – or vice versa for the principal; or
    3. A third entity controls both the associate and principal and the operations, resources or affairs of the principal and associate are material to the third entity.


Under section 50AAA, a ‘qualifying investment’ means an asset that is an investment or an asset that is the beneficial interest in an investment that is controlled by the entity which invests it in another entity.

It is important to note, however, that whilst excluded corporations cannot sue for defamation, they can, under similar but differing circumstances, sue for injurious falsehood which arises when corporations have suffered commercial loss. Injurious falsehood and defamation actions differ in that the former is intended to protect businesses from undue financial loss and the latter protects individuals from reputational harm.

The ‘serious harm element’ requires aggrieved parties to prove the publication of defamatory matter has caused, or is likely to cause, serious harm to the reputation of the aggrieved. For an excluded corporation, harm is not serious unless it involves serious financial loss. The current defence of triviality, should this Bill be enacted, would be omitted from the Act – the threshold of ‘serious harm’ nullifies any need to rely upon it.

New amendments introduce certain forms required to be exchanged between parties before the aggrieved may commence defamation proceedings. First, a concerns notice must be provided to publishers of defamatory matter (on behalf of the aggrieved) which outlines, most notably:

a. The location where the matter in question can be accessed;

b. The defamatory imputations of the aggrieved;

c. The harm that the aggrieved considers to be serious harm to the reputation of the aggrieved caused, or likely to be caused, by the publication; and

d. If the aggrieved is an excluded corporation, the serious financial harm the publication has caused or is likely to cause.


Further to the concerns notice, if the aggrieved fails to provide the required information needed for this notice, the publisher may request a further particulars notice from the aggrieved, required to be returned within 14 days. This notice requires the aggrieved to provide reasonable further particulars specified in the notice about the information concerned.

A publisher may make an offer to make amends within 28 days of receiving a concerns notice. Otherwise, if 14 days has passed following the provision of a concerns notice, the offer to make amends must be made within 14 days after the aggrieved provides to the publisher further particulars in response to a further particulars notice. If the relevant period to make an offer to make amends expires, the publisher may commence defamation proceedings.

Defamation proceedings may still commence without the provision of required concerns notice in limited circumstances, or where the court may consider it just and reasonable. Generally, defamation actions must commence within one (1) year from the date of publication of any defamatory matter.

Ultimately, the Bill proposed by the Queensland Parliament will have implications on both publishers and aggrieved parties should it be enacted, and will affect how defamation actions proceed.

Corney & Lind has extensive experience in the field of defamation. Should you require any advice on commencing or defending defamation action, feel free to contact our office.

This article was written by Law Clerk


Cyber-security and legal risks

In January 2020, Allianz published the results of their annual Risk Barometer survey[1], which identified cyber incidents as (for the first time ever) the most important global business risk. It affirms cyber-security issues increasingly taking precedent as a concern for businesses.

Under the header of this risk, Allianz reported the following trends which are of particular relevance to law firms:

    1. “Data breaches larger and more expensive” – “As companies collect and use ever greater volumes of personal data, data breaches are becoming larger and costlier….”;
    2. “Litigation prospects rising” – “Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors…; and
    3. “M&A can bring cyber issues” – “Even the best protected companies will be exposed if they acquire a company with weak cyber-security or existing vulnerabilities.”

In light of this risk, Australian entities should consider introducing additional proactive procedures into their privacy governance, keep up to date with new data and privacy related litigation developing in the industry and consider additional auditing and protective measures when buying or selling a business.


New obligations and procedures

In Australia, the Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles. These principles require applicable entities to ensure that they are compliant with a number of obligations including (without limitation):

    1. To have an up-to-date policy about the management of personal information by the entity (Australian Privacy Principle 1);
    1. Disclosing how the entity will use and disclose the personal information it collects (Australian Privacy Principle 6);
    1. Imposing obligations in relation to cross-border disclosure of personal information by the entity (Australian Privacy Principle 8);
    1. Ensuring personal information collected is accurate, up-to-date and complete (Australian Privacy Principle 10); and
    1. Ensuring personal information is kept secure (Australian Privacy Principle 11).

2017 amendments to the Privacy Act 1988 (Cth) also introduced mandatory “eligible data breach” obligations. The amendments extend not only to unauthorised electronic data breaches, but may also apply to “physical” data breaches, such as losing an unencrypted USB containing confidential client information whilst taking public transport. If a notifiable data breach occurs, the entity may potentially be required to notify the Australian Privacy Commissioner, professional associations or persons who are affected by the data breach.

In the age of the international retail business, internet shopping and global charities, it is not only Australian legislation that has application to Australian entities. Potentially, the use and disclosure of data in, and transfer out of, the UK, EU and EEA areas by an Australian entity can be subject to the General Data Protection Regulation.

Accordingly, an Australian entity should consider:

    • What their obligations are in relation to the collection, use, disclosure and maintenance of personal and sensitive information;
    • Whether their privacy and cyber-security policies and procedures are up-to-date; and
    • Whether a regular technology and cyber-security audit, and technology road-map are needed. The audit should consider what cyber-security gaps there currently are in the entity’s I. T. environment (for example, gaps arising from with support for Windows 7 ending on 14 January 2020). The roadmap should consider what new hardware and software is needed to ensure is needed to protect confidential data.


New types of cyber-security litigation

Allianz’s report identifies that data breach litigation is continuing to develop globally. Potentially, that wave of litigation could find its way to Australian shores, noting that a recent Office of the Australian Information Commissioner’s Statistics Report[1]  attributes 35% of reported data breaches to be as a result of human error (including unintended disclosure or loss of a data storage device), being as high as 55% in the health sector.

Apart from data breaches, notably, litigation over privacy matters are occurring within Australia. Summaries of recent published Australian decisions that highlight changes ordinary businesses are needing to make to their business models and practices include:

‘QP’ and the Commonwealth Bank of Australia Limited (Privacy)[2] :

    • The Complainant had a credit card for his business with the Commonwealth Bank of Australia (“CBA”).
    • In 2013, CBA sold the debt to Credit Corp Group (“CCG”), and the Complainant entered into a payment plan entered in 2013 with the Commonwealth Bank.
    • In January 2015, the Complainant had been advised by CCG the debt had been paid and finalised.
    • However, in June 2015, CBA advised the Complainant that the debt was still outstanding. This affected the complainant’s credit applications.
    • The Commissioner determined that:
    • CBA interfered with the Complainant’s privacy by using and disclosing personal information about the complainant which was inaccurate, out-of-date and/or in complete in breach of Australian Privacy Principle 10.2;
    • CBA was required to issue a written apology acknowledging their interference with the complainant’s privacy, and pay the complainant $15,0000 for non-economic loss;
    • CBA undertake changes to its policies and operation procedures establishing reasonable steps to ensure that financial information about a person that CBA uses or disclosure is accurate, complete, up-to-date and relevant in accordance with its privacy obligations, and provide a copy of its amended policies and procedures to the privacy commissioner.
    • CBA is to engage an auditor to assess its practices and effectiveness of its amended policies and processes, and provide a report to the Commissioner.

‘RC’ and TICA Default Tenancy Control Pty Ltd (Privacy)[3]

    • TICA provides information services to a number of industries by providing access to various online databases to real estate industry members for a fee. This included maintaining a Public Record Database which collates publically available information such as daily court lists.
    • In February 2014, the complainant was a party to a proceeding in the New South Wales Civil and Administrative Tribunal.
    • This information was not altered after February 2014, notwithstanding that the evidence as that the proceedings were no longer on foot.
    • The complainant discovered that her personal information had been listed in TICA’s PRD when she sought private rental accommodation, and made a complaint in July 2014 that TICA had published her personal information on its PRD and disclosed this information to property agents. The complaint included that TICA did not take reasonable steps to ensure that the complainant had been made aware of the collection of the complainant’s personal information.
    • TICA contended that it did not have the contact details of the complainant nor was it in a position to locate these details from the face of the information on the PRD listing, and therefore was not in a position to take reasonable steps to bring to the complainant’s attention the fact of the listing of her personal information on the PRD.
    • The Commissioner decided that TICA had failed to take any reasonable steps to comply with its obligations to ensure the complainant was aware of the collection of information, and declared that:
      • TICA were to produce a notice on a tenant-accessible portion of its website that addresses various matters that will assist persons in identifying how TICA collects, uses and discloses information, and how those persons can contact TICA about their personal information; and
      • TICA were to issues an apology and pay $1,500 to the complainant for non-economic loss.


New considerations for when purchasing or selling a business

New obligations and increased cyber-security risks may mean that the modern business purchaser would need to consider new obligations to introduce into their contracts. These would of course vary depending on the nature of the business, but potential new considerations can include:

    • Conducting an audit of the business’ I.T. environment and security before the merge, and identifying what risks need to be addressed before (or after) completion;
    • Identifying what personal and sensitive information is being acquired through the business acquisition, and testing whether the information is (without limitation):
    • Kept securely;
    • Current and up-to-date; or
    • Otherwise compliant with obligations under the Privacy Act 1988 (Cth).

If you seek legal advice on cyber-security and legal risk, make an appointment with our client engagement team to speak with a litigation lawyer.

This article was written by James Tan (Director) & Judith Mendes (Graduate Law Clerk).



[1] Office of Australian Information Commissioner, Notifiable Data Breaches scheme 12-month insights report, https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-scheme-12month-insights-report/, published 12 May 2019.

[2] [2019] AICmr48.

[3] [2019] AICmr 60

[1] Allianz Global Corporate & Specialty, Allianz Risk Barometer 2020, https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html, January 2020.

Cyber security for Australian business

The threat environment 

In June 2020, the Prime Minister brought to the Australian public’s attention the vulnerabilities which they may face through unsecure cyber assets. He announced that, after attacks from a “sophisticated, state-based cyber actor”, the Government was on heightened alert to the relatively new threat to Australian industries and businesses. [1]

The threat of an attack from a state-based actor may not, on first instance, necessarily pose an acute threat to most small to medium-sized businesses. However, business-owners should be aware of the increasing prevalence of online attacks by smaller but nonetheless detrimental adverse actors.

First, it may be helpful to clarify the difference between cyber security and online safety. As provided by the Australian Cyber Security Strategy 2020[2] (further discussed):

    1. Cyber security includes providing Australians with secure online protection of their data, information, devices and networks from malicious actors. The Australian Cyber Security Centre (ACSC), via cyber.gov.au, is the main point of contact for the public on cyber security.
    2. Online safety includes protecting individuals, families, and communities from harmful content and behaviours such as cyber bulling, image-based abuse and illegal and harmful online content. The eSafety Commissioner, via esafety.gov.au, is the main point of contact for the public on online safety

The scope of this article will cover, predominantly, the impacts and expected responses to cyber security as it relates to the operation and protection of Australian businesses and individuals.


Key statistics 

In 2016, the ACSC began as an initiative of the Australian Signals Directorate (run by the Department of Home Affairs) to combat, inform of and regulate the role of cyber security within Australia. Since 2019, the ACSC has begun multiple inquiries and reports specifically to address the increasing threat of cyber-attacks. Of particular note to Australian businesses is the ACSC’s current Cyber Security Strategy 2020. This Strategy is largely informed by the ACSC Annual Cyber Threat Report 2019-2020, which provides for statistics that indicate how relevant cyber threats are to all Australians.

Figure 1 below outlines the threats to various groups within Australia, categorised by cyber security incidents (a single event or series of events that threatens the integrity, availability or confidentiality of digital information) that were least severe (Category 1 or C1) to most severe (Category 6 or C6). The largest proportion of incidents (36.5%) were a Category 5 – Moderate Incident

Figure 1: Categorization of Cyber Incidents 2019-2020[3]


As provided by the ACSC Report, the increase of cybercrime reports (Figure 2) directly correlates with cyber security incidents to which the ACSC had responded in 2019 to 2020 (Figure 3). Both figures show the general trend of increasing cyber threats from December 2019, with a high spike in the month of April 2020.

Figure 2: Number of Cyber Security Incidents, per month, 2019-2020[4]

Figure 3: Cybercrime reported, per month, 2019-2020[5]


In April 2020, the ACSC reported that there were multiple large, co-ordinated attacks which were comprised mainly of phishing emails seeking to obtain sensitive information about Australian businesses and individuals. It is reported the adversary threatened to release the sensitive information of recipients’ friends and family unless paid a ransom.

The threat of fraud and extortion was the most predominant of all cybercrime reports, making up 39.68% of the total reported cybercrimes. [6] This statistic alone should be of particular concern to Australian businesses given the estimated overall loss of $850 million to Australians in 2020 from cyber scams. [7] This loss was an increase of 23% from the year prior.[8] It has been estimated that total private sector costs of cyber security incidents are as high as $29 billion per year.[9]


Government response 

The Cyber Security Strategy 2020

The aforementioned ACSC Cyber Security Strategy 2020 (“the Strategy”) seeks to respond to these concerning statistics by providing both legislative proposals and practical guidance to assist Australians and their businesses. Key actions include:

1. Provisions in the Telecommunications and Other Legislation Amendment (Assisstance and Access) Act to provide law enforcement with broader powers to deter and disrupt dark web adverse actors;

2. The investment of $855.1 million over the next ten (10) years into the Australian Signals Directorate and to “enabling and enhancing intelligence capabilities”;

3. Enforcing positive security obligations for entities responsible for critical infrastructure such as energy, water and mining. This will be done through amending the Security of Critical Infrastructure Act 2018. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently sits before the Commonwealth Parliament with the positive security obligations involving three aspects:

a. Adopting and maintaining an all-hazards critical infrastructure risk management program;

b. Mandatory reporting of serious cyber security incidents to the Australian Signals Directorate; and

c. Where required, providing ownership and operational information to the Register of Critical Infrastructure Assets.

4. In line with advice from the 2020 Cyber Security Strategy Industry Advisory Panel and stakeholder feedback, the Australian Government will work with businesses on possible legislative changes that clarify the obligations for businesses that are not critical infrastructure to protect themselves and their customers from cyber security threats. This consultation will consider multiple reform options, including the role of privacy and consumer protection laws, and duties for company directors; and

5. Ongoing consultation with industry and businesses.


Industry and Businesses Consultation

Critical to the consultation with industry and business is the Regulations and Incentives Paper of the ACSC which provides for further proposed strategies to be undertaken by the Government in response to cyber security threats. Its purpose is to offer policy considerations to which industry and businesses may respond to in relation to commercial incentives and costs.

Briefly, the paper considers implementing possible new policies, such as:

1. Minimum standards for personal information to be further enabled by the Privacy Act 1988 (Cth) (“the Privacy Act”);

2. Mandating standards and labelling for smart devices of the ‘Internet of Things’ through the Code of Practice: Securing the Internet of Things for Consumers.

3. Promoting responsible disclosure policies;

4. Promoting health check programs for small businesses, with a basic level of due diligence provided by a third party or Government; and

5. Legal remedies for consumers through Australian consumer law reform and further direct right of action through the Privacy Act.

The Government is currently allowing submissions on its Regulations and Incentives discussion paper, until 11:59pm on Friday 27 August 2021. Visit the Department’s webpage to make a submission.


Guidance for cyber security protection

The ACSC has comprised the following guidelines for businesses and individuals to prevent and respond to cyber security incidents which may arise out of fraudulent or compromised emails. Noting the statistics mentioned prior, having a clear understanding of this guidance will mitigate the most pertinent cyber risk Australians face – becoming a victim of email fraud.


Email Security Prevention Protection Guide

    1. Turn on multi-factor authentication. This kind of authentication requires a combination of something an online user knows (passwords or PINs), something a user has (smartcards, access keys or mobiles) and something a user is (biometric data such as fingerprint scanning). To effectively enable multi-factor authentication, contact your IT provider;
    2. Protect your domain names. This may mean registering multiple domain names which are similar to your existing domain. The expiry date of domain registration/s should be noted;
    3. Set up email authentication measures. Discuss with your IT provider the inclusion of Sender Policy Frameworks (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Implementing these protocols will mitigate against emails being sent fraudulently on your business’ behalf;
    4. Make your personal online presence private. This may involve ensuring that personal social media accounts do not ‘post’ sensitive information about business-related material or documents.
    5. Ensuring policies and procedures are up to date. There are multiple policies and procedures relevant to the privacy and security of Australian businesses. Such policies are necessary to adopt legal obligations and mitigate against external (and internal) cyber security threat.
    6. Training and awareness. It is important to ensure that all staff and employees of any business are aware of the expectations clients, customers and employers hold in relation to cyber security. Of particular importance is managing financial and banking practices. Receiving and making payments should be secure.


Emergency Response to Email Hacking

    1. Report to authorities. Reporting cyber security incidents through the ACSC’s Report Cyber Portal allows for reports to go directly to the affected person/business’ police jurisdiction. Take note of the Report Reference Number (beginning with ‘CIRS-’) for your records. Report to your banking or financial institution if the incident involves money.
    2. Check your account security. There are multiple steps involved in the review of email account security. These steps may be taken if an incident is suspected of having occurred or for general due diligence:
      • Change your password/passphrase/PIN;
      • Update your account recovery details (third party accounts used for recovery);
      • Sign out of all other sessions, including in other open browser tabs or other computer sign-ins;
      • Enable multi-factor authentication, as discussed earlier;
      • Review account mail settings (including mailbox rules)
      • Review third party application access;
      • Check login activity; and
      • Review your email folders, devices and other accounts.
    3. Notify contacts and relevant third parties. Under the Privacy Act, certain organisations and businesses have obligations to take positive action in the event of a ‘notifiable data breach’. These kinds of breaches occur when there is a suspected or actual risk of serious harm on any individual. Responses to these breaches should be covered by the organisation’s Privacy Policy.
    4. Request a domain takedown through the .au Domain Authority, auDA. auDA is the official Australian authority for all “.au” website domains. If there is a suspicion that a domain is acting adversely against your business, you may contact the domain owner through the Registrar Abuse Contact Email, by visiting:


Further assistance

Proper adherence to cyber security principles and expectations involves the consideration of a business’ individual circumstances and capacity. Ensuring adherence to obligations such as those which arise from the Privacy Act and Australian corporate and consumer law are essential for all relevant Australian businesses.

Our expert team at Corney & Lind Lawyers has extensive experience in advising on the provisions of various company policies and procedures (including Privacy Policies), the roles and expectations of company directors and responding to the legal ramifications of cyber security incidents. Contact our team for further assistance and tailored, informed advice.

This article was written by a Law Clerk.



[1] Statement of Malicious Cyber Activity Against Australian Networks; 19 June 2020; Prime Minister, Minister for Home Affairs and Minister for Defence.

[2] Page 5, ACSC Cyber Security Strategy 2020.

[3] Figure 2, page 7; ACSC Annual Cyber Threat Report 2019-2020.

[4] Figure 1, page 6; ACSC Annual Cyber Threat Report 2019-2020.

[5] Figure 5, page 10; ACSC Annual Cyber Threat Report 2019-2020.

[6] Page 11, ACSC Annual Cyber Threat Report 2019-2020.

[7] Page 1, ACCC Targeting Scams: Report of the ACCC on Scams Activity 2020.

[8] Ibid.

[9] Frost and Sullivan 2018, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, available at https://news.microsoft.com/apac/2018/05/18/cybersecurity-threats-to-cost-organizations-in-asia-pacific-us1-75- trillion-in-economic-losses/.


Defamation: Watch out for trolls!

Fairfax Media Publications; Nationwide News Pty Ltd; Australian News Channel Pty Ltd v Voller [2020] NSWCA 102

In a decision on Monday, 1 June 2020, the NSW Court of Appeal held that news outlets were liable as “publishers” for readers’ Facebook comments partially because they “encouraged and facilitated” comments by setting up public Facebook pages.


What is Defamation? 

Defamation is the publication of unsubstantiated ‘facts’ that negatively impacts the reputation of an individual.  In New South Wales and Queensland, compensation claims for damages arising from defamation are governed by the provisions of the Defamation Act 2005 (NSW) and Defamation Act 2005 (Qld) respectively.


The Voller Case

In July 2017, former youth detainee Mr. Dylan Voller commenced proceedings against three media companies, Nationwide News Pty Ltd, Fairfax Media Publications Pty Ltd and Australian News Channel Pty Ltd claiming damages for defamation based on the content of third party comments on their Facebook pages.

These substantive proceedings raised four questions for the Court to examine: namely,

    1. Did the media companies publish the posts?
    2. Were the posts defamatory?
    3. Were there defences with respect to the publications (for example: triviality, innocent dissemination, substantial truth)?
    4. What damages should be awarded?


Did the defendants “publish” the posts? 

Pursuant to rule 28.2 of the Uniform Civil Procedure Rules (NSW), the parties agreed to have the first issue (the publication issue) initially heard separately given the other elements largely hinged on this first issue.

In 2019, Rothman J at first instance held that the media companies, as the owner of a public Facebook page, “assumes the risks that comments made on that page will render it liable”.

Rothman J held that these large media companies had the resources available to oversee and moderate the comments. This includes disabling all public commenting (particularly on controversial articles which may likely give rise to defamatory material) and hiding all comments by applying filters of very common words and approving comments that are not defamatory.

This decision was largely upheld by the New South Wales Court of Appeal, as Basten JA, Meagher JA and Simpson AJA highlighted that the media organisations subscribe for a Page and “encourage and facilitate” the making of comments by third parties.

Meagher JA and Simpson AJA state:

…a person who participates and is instrumental in bringing about publication of defamatory matter is potentially liable for having done so notwithstanding that others may have participated in that publication in different degrees”.


Innocent Dissemination Defence?

Crucially, the Court of Appeal clarified that media organisations may still seek to rely on the defence of “innocent dissemination” at final trial. There has not been any finding at this stage that the comments were in fact defamatory.

It is anticipated this decision, particularly if it is appealed to the High Court, would apply to cases in Queensland given the similarities between the jurisdictions on the law of defamation.

Written By James Tan and Luke Borgert