IPMojo

BOOK AN APPOINTMENT

Scott Coulthart

by

Privacy’s First Big Hit: Australian Clinical Labs Fined $5.8 Million for Data Breach Failures

When 86 gigabytes of patient data — including health, financial and identity information — hit the dark web after a ransomware attack, the fallout was always going to be brutal.

Now, in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, the Federal Court has handed down a $5.8 million penalty — marking the first civil penalty judgment under the Privacy Act.

And it’s a warning shot for every business holding personal information in Australia.

⚖️ The Case in a Nutshell

Australian Clinical Labs (ACL) — one of the country’s largest private pathology providers — bought Medlab Pathology in late 2021.

What it didn’t buy (or even check properly) were Medlab’s crumbling IT systems: unsupported Windows servers, weak authentication, no encryption, and logs that deleted themselves every hour.

In February 2022, the inevitable happened — a ransomware group calling itself “Quantum” infiltrated Medlab’s servers, exfiltrated 86GB of data, and dumped it online.

ACL’s response was painfully slow. Despite early signs of exfiltration, it:

  • Relied almost entirely on an external consultant’s limited review;

  • Concluded (wrongly) that no data had been stolen;

  • Ignored early warnings from the Australian Cyber Security Centre; and

  • Waited over three months before notifying the OAIC.

🧩 The Breaches

Justice Halley found ACL had seriously interfered with the privacy of 223,000 individuals through three major contraventions of the Privacy Act 1988 (Cth):

  1. Breach of APP 11.1 — Failure to take reasonable steps to protect personal information from unauthorised access or disclosure.

    • The Medlab systems were riddled with vulnerabilities.

    • ACL failed to identify or patch them after acquisition.

    • Overreliance on third-party providers compounded the problem.

  2. Breach of s 26WH(2) — Failure to carry out a reasonable and expeditious assessment of whether the incident was an eligible data breach.

    • ACL’s “assessment” was based on incomplete data and unsupported assumptions.

    • The Court called it unreasonable and inadequate.

  3. Breach of s 26WK(2) — Failure to notify the Commissioner as soon as practicable after forming the belief that an eligible data breach had occurred.

    • ACL delayed nearly a month after confirmation that personal and financial information was on the dark web.

Each breach amounted to a “serious interference with privacy” under s 13G, attracting civil penalties.

💰 The Penalty Breakdown

ACL agreed to pay a total of $5.8 million:

Contravention Section Penalty
Breach of APP 11.1 (223,000 contraventions, treated as one course of conduct) s 13G(a) $4.2 million
Failure to assess breach s 26WH(2) $800,000
Failure to notify OAIC s 26WK(2) $800,000
Total $5.8 million

ACL also agreed to pay $400,000 in costs.

While the theoretical maximum exceeded $495 billion, the Court accepted the agreed penalty as being within the permissible range — particularly given ACL’s cooperation, remorse, and post-breach reforms.

⚙️ “Reasonable Steps” — The New Legal Standard

This judgment finally gives judicial colour to APP 11.1’s “reasonable steps” requirement.
Justice Halley said reasonableness must be assessed objectively, considering:

  • the sensitivity of the information;

  • the potential harm from unauthorised disclosure;

  • the size and sophistication of the entity;

  • the cyber risk landscape; and

  • any prior threats or attacks.

Critically, “reasonable steps” cannot be outsourced — delegation to an IT vendor does not discharge responsibility.  ACL’s overreliance on StickmanCyber was no defence.

🚨 Why It Matters

This decision rewrites the playbook for privacy compliance in Australia:

  • Civil penalties are real — the OAIC now has judicial precedent for enforcement.

  • Each affected individual counts — the Court held that each person’s privacy breach is a separate contravention.

  • “Serious” breaches will be taken seriously — health and financial data, inadequate security, and systemic failures will all tip the scales.

  • M&A due diligence must cover cybersecurity — buying a business means inheriting its data liabilities.

  • Notification delays will cost you — the OAIC expects “as soon as practicable,” not weeks or months.

💡 IP Mojo Take

Privacy can’t be treated anymore like it is just a paperwork exercise — it’s a governance test you can fail in the Federal Court.

This case cements privacy law as a compliance discipline with teeth.

The OAIC now has a roadmap for future actions — and the Court has made clear that “reasonable steps” means measurable, auditable, and proactive security governance.

For corporate Australia, this is ASIC v RI Advice for the health sector — but under the Privacy Act instead of the Corporations Act.

Expect to see:

  • Increased OAIC enforcement in healthcare, finance, and tech sectors;

  • Board-level scrutiny of data protection measures; and

  • Class actions waiting in the wings, armed with a judicial finding of “serious interference with privacy.”

The privacy bar has just been raised — permanently.

by

Damages or Profits? The Federal Court Forces Patentees to Choose

How long can a successful patentee delay the choice between damages and an account of profits?

In VMS v SARB (No 13) [2025] FCA 1078, Justice Burley confronted that very question — and ordered the patentee to make its election within 21 days.

The dispute

  • Vehicle Monitoring Systems (VMS) had succeeded on parts of its patent infringement case against SARB and the City of Melbourne.

  • The trial judge retired; the case was remitted for pecuniary relief.

  • VMS wanted to delay electing between damages and profits until after more evidence was in.

The ruling

  • Justice Burley held that while patentees should make an “informed choice”, that doesn’t mean indefinite delay.

  • Guided by Island Records v Tring and Australian cases (LED Builders, Australian Mud Company), the Court balanced:

    • Patentee rights: not forced to gamble in the dark.

    • Court efficiency: s 37M Federal Court Act requires just, quick, inexpensive resolution.

  • Result: VMS ordered to elect within 21 days.

Why it matters

  • For patentees: Don’t expect to hold off forever — the Court wants efficiency.

  • For infringers: Push for early election to limit procedural drag.

  • For practitioners: Timing of election is now firmly part of litigation strategy, not just an end-of-trial formality.

Takeaway

This case sharpens the line between informed choice and delay tactics.

The Court’s message is clear: patentees must choose their remedy earlier than many may have hoped.

by

Sportsbet’s “More Places”: Distinct Enough to Register

Can a trade mark like MORE PLACES really distinguish betting apps and wagering services? The Registrar thought so in Sportsbet Pty Ltd [2025] ATMO 195.

The case was a test of s 41 of the Trade Marks Act 1995 (Cth), which stops marks that are too descriptive from being registered. Examiners had argued that MORE PLACES was purely descriptive — suggesting Sportsbet’s services were available from more venues, or that gamblers could win more “places” in a race. Either way, they said, other traders needed that phrase free for honest use.

But Sportsbet pushed back. The Delegate agreed that while the words had a meaning, they weren’t directly descriptive of the goods and services. Instead, the phrase was more of a “covert or skilful allusion” in the Cantarella sense — an allusive tagline, not a generic description.

👉 Outcome: application accepted for registration.

Why it matters

  • Allusion vs description: This case shows how fine the line is between a mark that merely hints and one that directly describes.

  • Taglines can stick: Even in a heavily regulated, crowded industry like wagering, a catchy phrase can clear the s 41 hurdle.

  • The presumption of registrability is real: unless the Registrar is satisfied the mark can’t distinguish, applicants get the benefit of the doubt.

The takeaway? You don’t need a completely fanciful word to succeed. Sometimes, a clever phrase like MORE PLACES will do the trick.

by

First Use vs First File: Vmaisi Trade Mark Squatter Knocked Out

The name Vmaisi might not ring a bell — but in this opposition it was the difference between owning a brand and losing it.

Chengbo Wang, founder of Ningbo Vmaisi Import & Export Co Ltd, knocked out Xiang Chen’s attempt to register Vmaisi in class 20 (non-metal hardware, locks, baby seats).

👉 The battleground? Section 58 of the Trade Marks Act 1995 — ownership.

Wang came armed with real-world evidence: Shopify orders, Amazon listings, and Australian customers clicking “buy now.”

Chen, meanwhile, turned up empty-handed — and with a history of filing other people’s brands without doing much else.  The Delegate wasn’t impressed, calling it the classic playbook of a bad-faith filer.

🔑 Why it matters

  • First use beats first file — ownership flows from actual use, not just getting in line at the filing counter.

  • Global clicks count — Amazon, Shopify and website screenshots can prove Australian use.

  • Conduct matters — a pattern of opportunistic filings can tip the scales against you.

💡 IP Mojo Take

Trade mark squatting isn’t just an “overseas problem” — it’s alive and well here too.

And remember: Australia’s trade mark register is a register of ownership, not ownership by registration. Only the true owner can register a mark. Filing doesn’t magically make you one.

For brand owners:

  • Keep an eye on the register — if you snooze, you lose.

  • Move fast if someone else files your brand.

  • For e-commerce businesses: your digital receipts, analytics, and customer data are gold when proving ownership.

In today’s digital marketplace, your best defence may just be sitting in your Shopify dashboard.

by

Reckitt’s Red Powerball Fizzles: Shape Marks for Dishwashing Tablets Refused

If you’ve ever stacked a dishwasher, you’ll know the iconic Finish red “powerball” capsule. Reckitt tried to lock down that look with two shape/colour trade mark applications — but Henkel (maker of rival dishwashing products) opposed.

In Henkel AG & Co. KGaA v Reckitt Benckiser Finish B.V. [2025] ATMO 198, the Delegate refused both marks under s 41 of the Trade Marks Act 1995 (Cth).

Reckitt argued its tablet shapes and colours (blue, white and red, with a central “ball”) had become distinctive through use. But Henkel countered that capsule-style tablets are industry standard: divided compartments, bright colours, and glossy “gel” effects all signal product function or quality.

Evidence showed competing brands used similar designs, making these visual features common to the trade.

The Delegate agreed. While Reckitt’s advertising highlighted the “powerball” as a badge of origin, the overall shapes and colour combinations weren’t inherently adapted to distinguish, and the use evidence wasn’t enough to carry the day.

👉 Result: registration refused.

Why it matters

  • Shape and colour marks are tough: Features that are functional or common in an industry rarely meet the distinctiveness threshold.

  • Marketing ≠ distinctiveness: Advertising a red ball as your “thing” doesn’t prove consumers see it as a trade mark, especially if competitors use similar visual cues.

  • Evidence must be targeted: Courts and registries want clear, dated, and widespread evidence showing the public perceives the design as a brand, not just decoration.

For brand owners, the message is clear: don’t rely on shape/colour marks to protect your product design.

Instead, combine registered trade marks, design rights, and trade dress enforcement for a stronger strategy.

by

From Torque to Tension: When Distributorship Dreams Unwind

What happens when a long-standing distribution relationship morphs into a promise of “forever” — and then collapses under the weight of commercial reality?

That’s the story in Torc Solutions Pty Ltd v Unex Corporation d/b/a Hytorc [2025] FCA 1124, where the Federal Court had to untangle claims of perpetual agreements, economic duress, misleading conduct, and an alleged “termination strategy”.

The Background

Torc Solutions was the Australasian distributor of torque wrenches and industrial tools sold by US entities Torc LLC and Hytorc.

When Torc LLC shut down globally in 2020, Torc Solutions looked to keep its business alive through a home-branded (“private label”) supply deal with Hytorc.

A teleconference between the parties fuelled Torc’s belief that an ongoing “Hytorc Agreement” had been struck, giving them perpetual supply rights on the same terms as their earlier Distributor Agreement.

Later, a formal Branded Product Distribution Agreement (BPDA) was signed. When that deal fell apart over insurance requirements and Hytorc’s decision that the arrangement was no longer viable, Torc alleged that:

  • a binding agreement already existed from the teleconference,

  • the BPDA was signed under economic duress, and

  • Hytorc had engaged in misleading, deceptive, and unconscionable conduct.

The Court’s Findings

Justice Neskovcin dismissed all claims by Torc, finding:

  • No perpetual contract – Courts rarely find distributorships to be “forever agreements”. The Distributor Agreement ended when Torc LLC closed.

  • No binding teleconference deal – The discussions fell into Masters v Cameron’s third category: “we’ll get something in writing later”. No enforceable contract arose until the BPDA was executed.

  • No duress – Telling a counterparty “sign the agreement or we won’t supply” was not unlawful pressure, but part of hard commercial bargaining.

  • No misleading or unconscionable conduct – The evidence didn’t support that Hytorc had promised supply it never intended to provide.

Bottom line: application dismissed.

Why It Matters

For brand owners and distributors alike, the lessons are sharp:

  • Paper it, or risk it – A teleconference transcript doesn’t replace a signed agreement.

  • “Forever” is a fantasy – Unless clearly expressed, distributorships and licences will be terminable.

  • Economic duress is hard to prove – Commercial pressure, even bluntly applied, rarely crosses the line.

  • Don’t over-rely on private label promises – A failed transition can leave the distributor exposed.

This case is a reminder that distribution and licensing deals live and die by what’s actually written down.