Update on notifiable data breach scheme

As we have previously commented on in our blog post late last year, new laws are set to come into effect on 22 February 2018 which will require organisations covered by the Privacy Act 1988 (Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals if an unauthorised disclosure of personal information occurs.

The OAIC has published draft resources on their website to assist organisation in understanding their compliance obligations (accessible at: https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/).

The draft resources cover:

·       Who must comply with NDB Scheme – the NDB Scheme will apply to you if you are an organisation or Australian government agency that is already covered by the Privacy Act;

·       Which data breaches are notifiable – a data breach is an ‘eligible data breach’ that requires notification if it is likely to result in serious harm to any of the individuals to whom the information relates (note that a data breach does not have to be ‘malicious’, such as a cyber-attack, for it to be an eligible data breach – accidental unauthorised disclosure may still require notification, for example);

·       How to notify – if the NDB Scheme applies to your organisation, your organisation must provide a statement to the OAIC, and notify individuals at risk of serious harm of the contents of that statement, if an eligible data breach occurs;

·       Australian Information Commissioner’s role in the NDB Scheme – the OAIC’s roles include receiving notifications of eligible data breaches, encouraging compliance with the scheme (including regulatory action in the event of non-compliance), and providing advice and guidance about the operation of the scheme.

It is important that you review your organisation’s policies, procedures and systems for securing personal information and preventing data breaches before they occur.  An effective data-breach response plan is also crucial to respond quickly if a data breach does occur, which may be the difference between averting serious harm and a breach requiring notification (which can be highly detrimental to an organisation’s reputation).

At Motus Legal, we have advised many of our clients on complying with their obligations under the Privacy Act.  Get in touch with us to prepare for the NDB Scheme before it comes into effect.

ICO - the new way to raise capital quickly?

Recent months have seen an explosion in the number of ICOs (or “Initial Coin Offerings”) undertaken to raise project-development funds from the crowd.  This trend has not gone unnoticed by smart entrepreneurs eager to ride the wave, and has lead an increasing number of business owners to consider whether they too might use an ICO to raise capital for their own projects.  But what are ICOs, and how can they be used as crowd-sourced fundraising?

Initial Coin Offerings

At a high level, an ICO is essentially an event where a blockchain-based project sells “tokens” to early adopters and enthusiasts in exchange for money today (typically, using Bitcoin or other cryptocurrencies that can then be traded into Australian dollars).  It combines elements of crowdfunding with traditional capital raising activities, but with a crytocurrency element.

ICOs generally take place before the project is completed.  The crowd-sourced funds raised from the ICO can then be used to cover operational costs and the costs of completing and implementing the project.

Once the project has launched, the digital token can either be used in accordance with the project’s application (which will of course vary from case to case), or be traded on an exchange for other cryptocurrencies or dollars.  Investors in ICOs are therefore anticipating that demand for the tokens (and the price payable for the tokens) will increase in future, such that they can later sell their tokens for a return.

To date, ICOs have collectively raised hundreds of millions of dollars to finance early-stage projects.  This year alone, early-stage blockchain entrepreneurs have raised more money via ICOs than from venture capital.

ICOs vs IPOs and other capital raisings

ICOs are often compared to Initial Public Offerings (IPOs) of a company’s shares on a securities exchange, and there are some similarities between the two.  For example, both are used to raise money by selling a stake in something, and both ICOs and IPOs have investors who risk their capital for the opportunity to make a return through an increase in value and trading.

However, there are some important distinctions as well.  IPOs offer securities (i.e. shares) to investors, and are therefore subject to ASIC / ASX rules and regulation under the Corporations Act.  For instance, before an IPO can be undertaken, the company would need to go through the usual due diligence and prospectus preparation process, as well as admission to the ASX.

Even outside the IPO context, any conventional capital raising not using a disclosure document (such as prospectus) undertaken by issuing shares or other securities to investors are also subject to some strict rules under the Corporations Act.

By contrast, commentators have generally considered the purchase of tokens in an ICO to be the prepayment for goods or services, as opposed to a financial product falling within the government watchdog’s regulatory bounds.  Accordingly, ICOs are currently a relatively unregulated area.

ASIC Chairman, Greg Medcraft, recently discussed ICOs and noted that ASIC is still considering its position in relation to regulating these products.  The Chairman noted that ICO tokens are unlikely to be considered equity securities and stated that:

"They’re a very interesting concept.  An ICO is not equity – you're offering basically something that is the product of the entity that is doing the launch.  You're taking a bet on getting that product early.  How different is that if I go to Kickstarter and I buy something – a watch – and then I get that watch and sell it in the future? It's no different, is it?”

However, the Chairman also noted that certain ICO tokens might be sufficiently similar to securities to fall within ASIC’s mandate, particularly around the provision of financial services surrounding the ICO. 

Motus Legal already works in the traditional capital raising arena and well-versed in the financial products regulation space, and would love to explore potentially working on ICOs with another progressive businesses at the cutting edge of the capital markets. 

Come talk to us!

The team at Motus Legal

Equity crowdfunding - new rules introduced

The Federal Government's recently introduced draft legislation, the Corporations Amendment (Crowd-Sourced Funding For Proprietary Companies) Bill 2017 (Bill), may at last make equity crowdfunding available to private companies.
 
You may recall that the Government already passed equity crowdfunding legislation in March (which is to come into effect this September).  However, a major point of contention in that legislation was the inability of private companies (which make up the vast majority of corporations in Australia) to access the regime.
 
The compliance costs of trading as a public company mean that relatively few private companies will go public in order to raise capital from the crowd under the current regime.  The recently introduced Bill is intended to address this by allowing companies to remain private.
 
If the Bill is passed by the Government, crowd-sourced investors will not be counted towards the fifty-shareholder limit that applies to private companies (although it is not yet clear what happens when these investors transfer their shares).
 
Crowdfunded private companies will also be exempt from takeover provisions under Chapter 6 of the Corporations Act; provided that the company amends its constitution to require a person who acquires more than 40% of the voting shares in the company to offer to purchase all other securities in the company on the same terms within 31 days.  The amended constitution must be lodged with ASIC if a crowdfunded company intends to rely on this exemption.
 
While allowing private companies to access the crowdfunding regime has been broadly welcomed, some commentators are questioning whether the obligations in the new Bill nonetheless require crowdfunded private companies to act as public companies in disguise.
 
The additional obligations that crowdfunded private companies must comply with under the Bill include:
•    having at least two Australian-based directors;
•    lodging annual financial and directors’ reports, which must be audited if the offer is over $1million;
•    complying with certain 'related party' provisions of the Corporations Act; and
•    maintaining a more comprehensive company register.
 
This said, the new Bill has been recognised as an important step towards making equity crowdfunding available to private companies and this is certainly an area to watch.
 
Get in touch with us at Motus Legal to talk more.
 

Listed AGAIN in The Best Lawyers in Australia for Corporate Law

Motus Legal is stoked that Craig Yeung has again been listed in The Best Lawyers in Australia for Corporate Law, this time in the latest 2018 edition.  

Also, just like last year Craig is the only lawyer listed in Adelaide in Corporate Law from a non-traditional/NewLaw specialist legal consulting company model.  

This again proves what a lot of clients already know:  Motus Legal is a genuine alternative to the top corporate law firms in Adelaide for corporate M&A and transactions work.

From the team at Motus Legal, we want to thank all of our clients, referrers and supporters, all of whom have helped us build on our successes from last year - and having fun all along the way.

Keep moving.

The team at Motus Legal

Quick refresher on privacy and "small businesses"

The Australian Privacy Principles (APPs) contain many obligations and requirements as to how "APP Entities" collect, hold, use and disclose personal information.   An APP Entity is any organisation (whether a sole trader, company, partnership or trust) that is not a "Small Business Operator" - that is, any organisation that does not have less than $3 million annual turnover.
 
However, even if your organisation is a "Small Business Operator" with annual turnover of less than $3 million, do not assume the APPs don't apply to you.  There are a number of exceptions to the Small Business Operator rule, which may require your organisation to comply with the APPs.
 
For example, if your organisation has less than $3 million annual turnover but provides health services and holds "health information" about an individual (other than in an employee record), then your organisation must comply with the APPs.  "Health information" includes any personal information about:
•    the health or disability of an individual at any time (whether physical or mental);
•    a health service provided to or requested by an individual; or
•    other information collected to provide, or in providing, a health service.
 
"Health information" is interpreted broadly.  For example, the records of fitness clubs relating to individuals will fall within this exception, and therefore such fitness clubs must comply with the APPs regardless of whether it was a Small Business Operator with less than $3 million annual turnover.
 
Another example where your organisation may be required to comply with the APPs (regardless of whether it has less than $3 million annual turnover) is where your organisation discloses personal information about individuals to receive a benefit or advantage, or to provide a service.  This also applies to organisations that provide a benefit, service or advantage to collect personal information about individual from anyone else.  Organisations caught by this include those that sell lists of personal information to another entity so that the other entity can use it for direct marketing.
 
However, a Small Business Operator will not be required to comply with the APPs for trading in personal information if the Small Business Operator does so with the consent of the individuals concerned.  Whether satisfactory consent has been obtained from the relevant individuals for this to apply then becomes critical to get right.
 
As you can see, whether your business is bound by the APPs is not simply a matter of whether or not your organisation exceeds an annual turnover of $3 million.  At Motus Legal, we have advised many of our clients on privacy matters and compliance with the APPs, including specifically in the health sector.
 
Get in touch with us at Motus Legal to find out how the Australian Privacy Principles apply to your business.
 

Blockchain and Smart Contracts

Last year saw some major developments in blockchain technology. If these trends continue throughout 2017 and beyond, many commentators predict that blockchain technologies will revolutionise business in all sectors and industries.
So – what are these?  At a fundamental level, blockchain technologies provide a means of permanently recording transactions on a tamper-proof digital ledger that is available to the world.
Each “block”, which contains data about a transaction or transactions, must be verified by multiple “nodes” before the block is included on the blockchain ledger. This distributed verification process is intended to make blockchains highly resistant to unauthorised attempts to manipulate the blockchain ledger (such as by trying to process an artificial block with false transaction data). 
For this reason, blockchain technology is often touted by supporters as perhaps the most significant advancement for the Internet since the World Wide Web.   Big call, we know.
Advocates claim that blockchains provide a transparent and secure means for making transactions without requiring a central authority or trusted third party. This apparent ability of blockchains to provide the “trust” required in a transaction has led to predictions that the technology will completely overhaul the way information and assets are stored, tracked and traded across all industries.
Some businesses seem to have recognised this potentially new ground for experimentation and have begun to explore the opportunities. One exciting area is the emergence of “smart contracts” in commercial relationships.
In simple terms, unlike traditional contractual agreements, smart contracts are written in source code and recorded on a blockchain. When a given event occurs (e.g. X transfers money to Y), the smart contract automatically executes and processes the transaction on the blockchain ledger (e.g. title to Y’s shares and other given assets are transferred to X).
In this way, the smart contract is automatically enforced without either party having to trust that the other party will perform their obligations (or having to rely on a central authority or escrow).
That said, it is still now sure how these blockchains (at least for now) can completely replace traditional contractual agreements.  That is because commercial agreements are far broader in scope than the simple processing of transactions, and are carefully drafted to address many more aspects and uncertainties inherent in commercial dealings.
We have a lot of clients in the technology space, and we love talking to them about how technology will affect not only businesses in general, but the ‘business’ of law.

Watch this space and get in touch with us to talk more.
 

The team at Motus Legal

Cracker start to the year!

What a start to the year!  After a well-deserved break for the team, we  jumped straight back into the deals for our awesome clients.

Deals that we have worked on over the last couple of months or are currently on the go around the country and overseas include:

 - acquisition of a Melbourne based manufacturing and distribution company for our Adelaide client;
- sale of a logistics software company to a London based global company;
- acquisition of an engineering and manufacturing business from a Sydney company;
- sale of an Adelaide based engineering / distribution company to a Victorian company;
- acquisition of a multi-state motor vehicle hire business; and
- Capital raisings for four different startups from seed and angel investors.

Add to that some more commercial work for our amazing clients:

    - Massive licensing deal for Xped, click here;
    - Tenderfoot moves to Paris, click here; and
    - Senior exec appointment to listed tech company, click here.

We are continually amazed at the amount of quality and cool work that we get to do here at Motus Legal.  We certainly "punch well above our weight" as they say.  So thank you to all our clients for trusting us with your projects.

We are looking forward to working on your next deal!

Keep moving,

The team at Motus Legal

 

Sandbox for Fintechs

As previously mentioned, fintechs in Australia have recently received a gift from ASIC in the form of an exciting and world-first "regulatory sandbox" initiative. These regulatory exemptions give Australian fintechs the opportunity to enter the market and test their products where they were previously held back by restrictive red-tape.
 
Under ASIC's recently released regulatory exemptions, eligible fintechs will be able to test certain products on the market for up to 12 months without requiring an Australian Financial Services Licence (AFSL) or an Australian Credit Licence (ACL).

This is exciting news for many fintechs that have found it difficult to really develop their businesses due to the high costs of obtaining these financial licenses.
 
To be eligible for this licensing relief, your fintech must:
 
•    have no more than 100 retail clients;
•    plan to test for no more than 12 months;
•    have total customer exposure of no more than AU$5 million;
•    have adequate compensation arrangements (such as professional indemnity insurance);
•    have dispute resolution processes in place;
•    meet disclosure and conduct requirements; and
•    comply with the relevant responsible lending obligations.
 
If your fintech meets the applicable criteria (including product eligibility requirements), then you are entitled to rely on ASIC's licensing exemptions for a 12-month period; giving you the opportunity to test out your fintech in the marketplace.
 
We already work with a few fintechs and have many years advising in the financial services sector in Australia, so get in touch with us and let us partner with your fintech.

Keep moving.

The team at Motus Legal

Mandatory privacy breach reporting

New laws, if passed, will require businesses that experience a data breach to notify the Australian Information Commissioner and any affected individuals that an unauthorised disclosure of personal information has occurred.
 
Cyber attacks and data breaches are becoming increasingly common in commercial life and will be experienced by most organisations at some stage. Now, under the proposed amendments to the Privacy Act 1988, certain businesses that fail to notify the Commissioner and affected individuals as soon as practicable may be exposed to hefty penalties.
 
Businesses and organisations that are considered "APP Entities" under the Privacy Act 1988 will be subject to the mandatory notification obligations if:
•    there is unauthorised access to or unauthorised disclosure of personal information; and
•    such access, disclosure or loss of personal information is likely to result in serious harm to any of the individuals to whom the information relates.
 
Providing notification of a data breach will likely result in significant negative publicity and scrutiny from the Commissioner. At Motus Legal, we have advised clients on policies and procedures that can be implemented to minimise the risk of a data breach occurring, as well as responding to claims of breaches of privacy.  However, businesses cannot entirely eliminate the risk that human error, a technology glitch or a malicious hack will cause a data breach.
 
It is therefore crucial that you act quickly if you become aware that a data breach has occurred or is likely to occur. Under the proposed amendments to the Privacy Act 1988, APP Entities that take effective remedial action before any serious harm occurs may be exempt from the costly mandatory notification obligations.
 
Get in touch with us at Motus Legal to find out how these new laws will affect your business and how we can help you manage data breaches before they occur.

 

The team at Motus Legal

 

Top 4 tips to become cyber resilient

Cyber security is an issue of increasing importance for organisations throughout Australia and the world. As businesses chase the undeniable benefits of going ever-more digital, the related cyber risks cannot be ignored.

It is now generally accepted in the business community that virtually all organisations will experience a cyber-related incident at some stage. Data breaches can lead not only to large civil penalties imposed on companies and personal liability for directors, but can also have a devastating effect on an organisation’s reputation. 

You should therefore view cyber security as not just a technical problem requiring technical solutions. As a key stakeholder in your business, you need to be proactive in implementing an effective management strategy to address cyber risk at all levels of your organisation. 

To enhance cyber resilience and succeed in the digital economy, you should at the very least adopt a strategy to: 
•    determine your business’ exposure to cyber risk, including with respect to its assets, supply chain, personnel, and response resources;
•    promote cyber security governance and raise awareness of cyber risks across your whole business;
•    assess and update your business’ policies and procedures, implement a data breach detection and response plan, and ensure your employees and contractors have the necessary training; and
•    review your business’ insurance policies and coverage.

Do not assume your business has satisfactory procedures in place to deal with cyber threats. Unfortunately, it is often only after a business has experienced a data breach and become exposed to the wide range of liabilities that they recognise the necessity of an effective cyber-resilience strategy.  Don’t let that be you. Get ahead of cyber risk by reviewing the above for yourself, or ask the experts to help.

At Motus Legal, we have helped many of our clients beef up their privacy policies and security procedures, and have provided much needed advice on data, privacy and security-related matters.  Get in touch with us so we can help your business become cyber resilient.

The team at Motus Legal