Business Matters Newsletter – October 2014
Published on January 17, 2014 by Patricia Monemvasitis and Selwyn Black
Carroll & O’Dea is accepted into Primerus
We are proud to announce our firm has been accepted and given membership of the International Society of Primerus Law Firms, a highly selective society of the world’s finest independent boutique law firms. See link.
Cupid Hacked
The Australian Privacy Commissioner (Commissioner) recently completed a report into allegations that personal information of users of the Cupid dating web site, had been acquired by unauthorised persons.
The incident occurred prior to the 12 March 2014 replacement of the 10 National Privacy Principles (NPPs), with the Australian Privacy Principles (APPs).
NPP 4 (and new APP 11.1) requires that reasonable steps be taken to protect personal information from misuse and loss. In determining what were reasonable steps, the Commissioner looked at Cupid’s particular circumstances, including:
- the volume and sensitivity of the personal information handled; and
- the likely impact in the event that the personal information was compromised.
Cupid argued that as it did not have credit card information or bank data, less stringent steps were required of it. However the Commissioner noted that Cupid may have sensitive information because of the various types of “special interest” web sites it operated. The Commissioner found that more stringent steps were required by Cupid to keep the information secured, than may be required of organisations which did not handle such sensitive information.
Salting and Hashing
“Hashing” is a process of calculating a number (the hash) based on other data, that does not include all of the data. With hashed passwords, the system stores the hash, not the password. A hashed password does not include the original password – instead when the user supplies their password, the system re-calculates the hash, and compares that hash with the hash it has stored. There are a lot of different ways the hash can be calculated. For storing passwords the method selected should be what is known as a strong cryptographic hashing algorithm – these make it harder to calculate both what the original data was, and what other (different) data might happen to result in the same hash.
“Salting” is a process of adding additional random data (the salt) to the password, before calculating the hash that will be stored in the database. The salt is also stored with the hash, so that the same salt can be added when the user’s password is checked. The salt ensures that even if 2 users have the same password, they will probably not have the same hash. An attacker has to separately attack each user’s password.
The Commissioner reviewed the information management tools and the testing and monitoring used by Cupid, and found that they were reasonable. However the Commissioner reached the conclusion that Cupid had not taken reasonable steps to prevent disclosure of passwords, because the passwords were stored in plain text. The Commissioner found that the passwords should have been hashed, including by using a salt, because these techniques are simple and basic means to limit the risk of unauthorised access (and these techniques have been well known and used for decades). The Commissioner specifically found that Cupid’s storage of passwords in plain text was a failure to meet the required standard.
The Commissioner also found that there was failing in relation to the obligation to destroy or permanently de-identify personal information which was not being used – in this case junk, duplicate or abandoned accounts.
Once the issue was identified, Cupid took a significant number of steps including:
- sending a notification to all affected users, encouraging users to reset passwords;
- analysing server logs and tracking the hack method to ensure the breach had been contained;
- conducting 3 full scans using different detectors to confirm there were no malicious files;
- engaging a security team to conduct a full audit of the servers;
- conducting a remediation program;
- upgrading security measures;
- reviewing what personal information was required to ensure that Cupid only collected and
- retained what was necessary;
- engaging privacy lawyers to improve processes generally.
The Commissioner found that these responsive steps were appropriate, but nevertheless found that there had been breaches in relation to the security of password storage, and the failure to de-identify information, as mentioned above.
What is regarded as reasonable will no doubt move with changes in technology. However each organisation should obtain suitable analysis of its own needs, security system and privacy policies, to avoid what could at the very least be a rather embarrassing disclosure.
Troy Rollo – Carroll & O’Dea Lawyers
The assessment of damages for flagrant infringement of the Halal-Certified Trademark under the new section 126(2) of the Trade Mark Act in Halal Certification Authority Pty Limited V Scadilone Pty Limited [2014] FCA 614
The Halal Trade Mark is a seal used by the applicant to certify, for reward, those businesses that used halal practices in the preparation of goods and services in accordance with the Islamic faith.
The Halal Trade Mark is registered in respect of Class 35: Personal and social services, and Class 42: scientific and technical services: issuing halal certifications to business and individuals for goods and services if religious and technical requirements are met. The applicant alleged that the three respondents had been using the Halal Trade Mark without its permission to indicate that kebab meat products used were halal.
Perram J found that there was evidence of infringement since the kebabs, when sold under the halal certificate, were closely related services of providing halal certification for the purposes of Section 120(2) of the Trade Marks Act 1995 (TMA), namely they were closely related to the services in respect of which the Halal Trade Mark is registered.
In considering appropriate damages, Perram J made clear distinctions between the infringements of each respondent.
In respect of the retailers, the first and second respondents, the Court noted that the kebab shops were not interested in seeking halal-certification for their premises, but were only interested in seeking halal-certification from Quality Kebabs for the kebab meat supplied. This was a significant distinction given that the applicant was relying on the licence-fee approach for assessing damages as in the copyright case of Autodesk Australia Pty Ltd v Cheung Pty Ltd (Autodesk) where it was important that the infringer would have paid for a licence if faced with a choice between payment and not using the copyright work at all.
Thus, the damages were likely to be more in the nature of diminution in the reputation of and goodwill in the Halal Trade Mark. However, this would also require proof that the food served was not halal and that the public became aware of this. No evidence was led by the applicant to this effect and as such His Honour rejected diminution damages based on reputational harm to the Halal Trade Mark. His Honour therefore concluded that only nominal damages were payable by the first and second respondents. The sum of nominal damages awarded was $10.
There was however a further claim by the applicant for “additional damages” under Section 126(2) of the Trade Marks Act which provides that additional damages can be awarded for “flagrancy of the infringement” or to “deter” similar infringement by others.
Section 126(2) is fairly recent, being incorporated into the Trade Marks Act by the 2012 “Raising the Bar” amendments. Perram J held that “additional damages,” whilst broader than exemplary damages were not compensatory in nature. Referring to the Parliament’s Second Reading Speech His Honour concluded that the damages were intended to deter from infringement. Taking into account the “arrogant attitude” of Quality Kebabs in its defence, as for example Quality Kebab’s attempt to blame a former employee, His Honour found that an award of “additional damages” was appropriate here. The quantum of damages could not equal the value of the certificate as this would equate to a “use now, pay if you get caught approach”. Thus, a 50% increase on the certification fee was imposed yielding a total of $91, 015.00 for two years of infringement.
The applicant also managed to secure an injunction restraining Quality Kebabs from using the Halal Trade Mark as well as an order for corrective advertising in leading Islamic newspapers to inform the public of the misuse.
The decision thus serves as an important reminder to trade mark holders seeking to litigate that, unlike injunctive relief for the protection of trade mark interests, compensation does not flow freely without particular proof of loss.
Patricia Monemvasitis – Carroll & O’Dea Lawyers
Kim Leontiev – Carroll & O’Dea Lawyers
Investment via Limited Partnership Falls out of double tax treaty
The 2014 G-20 Heads of Government Summit in Australia follows other 2014 G-20 meetings in Australia, including meetings of finance ministers, trade ministers and central bank governors. On the agenda is the contribution of trade agreements towards economic growth. Australia is a party to free trade agreements with the United States, New Zealand and Korea, and it recently concluded an economic partnership agreement with Japan.
These treaties, along with applicable double tax treaties, form an important part of the framework for cross border dealings. They also increase uniformity of treatment, but some differences remain.
This article focuses on the 2014 Australian full Federal Court decision in Commissioner of Taxation v Resources Capital Fund III LP, which involved consideration of the Australian/United States double taxation treaty, as well as principles for valuation of business components.
Background
The Resources Capital Fund III Limited Partnership (RCF) was a Cayman Islands limited partnership with a Cayman Islands general partner. Almost all of the limited partners were U.S. residents. The partnership invested in an Australian company St. Barbara Mines Limited (SBML). RCF sold the shares in SBML for a gain of over $58 million. The Australian tax authorities wished to tax that gain on the basis that the sale resulted in a capital gain liable for tax in Australia.
At this point it is important to note that with some exceptions (including for certain venture capital limited and management partnerships), corporate limited partnerships are treated as taxable entities under Australian law even though for United States tax purposes they may be regarded as tax transparent (i.e. the partners rather than the partnership being assessed to tax).
The Australian Taxation Office (ATO) assessed RCF under Division 855 of the Australian Income Tax Assessment Act 1997, which applied Australian tax to a foreign resident on a capital gain on the sale of shares in an Australian company only if the shares were an “indirect Australian real estate property interest,” which in turn required that the shares constitute a greater than 10% interest in the company and that the sum of the market value of the company’s assets that are taxable Australian real property (TARP) must exceed the market value of the company’s non-TARP assets. TARP assets include real property and mining rights in Australia.
Note that a different regime would apply where the foreign resident has used an Australian permanent establishment.
The Valuation Issue
The assets of SBML included mining rights (which constituted TARP), and mining information together with the plant and equipment (which was not TARP).
The trial judge suggested that the correct valuation approach was to value separately each category of assets as if it was the only asset offered for sale in a transaction. However on appeal the full Federal Court preferred to measure the market value of the individual assets on the basis that they “are to be ascertained as if they were offered for sale as a bundle, not as if they were offered for sale on a stand alone basis.” This meant that a hypothetical purchaser of the TARP assets might expect to acquire the mining information and the plant and equipment for less than their production or acquisition costs and without material delay. This reflects the reality that information and plant will generally be sold to the purchaser of the relevant mine. The result was that the TARP assets exceeded the non-TARP for a least one relevant date, and the transaction was taxable, subject to the application of the U.S./Australia double tax treaty.
Double Tax Treaty Issue
The general Australian tax laws are subject to inconsistent provisions of relevant double tax treaties. The U.S. limited partners may have had the benefit of protection under the U.S./Australia double tax treaty if the relevant tax payer was a U.S. resident. As noted, for U.S. purposes the limited partnership was regarded as fiscally transparent (i.e. a pass through situation). However, with some exceptions, Australian tax law treats a limited partnership as a separate taxpayer, generally taxed as if it was a company, so that apart from the treaty Australian tax law would treat the taxpayer as a Cayman Islands limited partnership rather than looking through to the U.S. limited partners.
The trial judge paid heavy regard to the OECD commentary on the model tax treaty on which the Australia/U.S. double tax treaty was based, to find that the U.S. limited partners were the relevant taxpayers, and accordingly protected by the double tax treaty.
On appeal the full Federal Court said that the Australia/U.S. double tax treaty did not apply because RCF (i.e. the taxpayer assessed, being the Cayman Islands limited partnership rather than the partners), was neither a resident of the United States nor a resident of Australia.
Subject to any further appeal or change in the law, one consequence is that where there are TARP assets (e.g. mining rights or real estate), a non-Australian investor should consider investing directly from an entity in a treaty jurisdiction, to reduce the risk of double tax. In addition, other structures and specific advice should be considered.
While the context here is Australia/U.S., similar issues may occur under other double tax treaties where there is an interposed entity or structure, even a fiscally transparent one, with a domicile different to the parties of the treaty.