Speaking on the My Business Podcast, Mark and Nicole reveal:
- Changes to the Privacy Act and how this could affect businesses
- What constitutes defamation, particularly in the digital world
- The legal implications of not understanding a commercial property lease
- Where the law stands on debt recovery and chasing money
Plus loads more!
Adam Zuchetti: Hi everyone, thanks for tuning in to the My Business podcast. Adam Zuchetti and my colleague, Andy Scott are the hosts. Andy? How are you?
Andy Scott: I'm well Adam. How's things with you?
Adam Zuchetti: I'm all good.
Andy Scott: Good, good, good.
Adam Zuchetti: So. Today. Who've we got in?
Andy Scott: As an infamous person once said, "Mo money, mo problems." I dunno why I'm referencing that, but today's guests are problem solvers for businesses. And we had them in a while ago, and we could have spoken for hours, so we've dragged them back in again.
Their business was established in 2009, and they've got about 15 staff, and during that time they've given advice and helped many hundreds of clients on many thousands of business problems.
Adam Zuchetti: So we're welcoming back Nicole Billett and Mark Gardiner of Teddington Legal to discuss this prickly issue. Guys, thanks for coming back.
Nicole Billett: Pleasure.
Mark Gardiner: Thanks for having us back.
Adam Zuchetti: You were telling us before we came on air that you're noticing a growing trend of questions and concerns around cyber security and issues pertaining to that. Can you talk us through what are some of the really big hot button questions that you're finding business owners asking at the moment?
Mark Gardiner: The biggest issue I think is that there's been some press recently about changes to the privacy act. In February this year, Federal Parliament passed a bill that's been around for a very long time, which is making a fundamental change to how the Privacy Act operates. At the moment Australia does not have what's called a Mandatory Breach Reporting procedure. And in February next year that's going to change. So in many circumstances, if privacy of a company is breached, and your individual personal information is disclosed, then it's now going to be required in most circumstances that that breach be notified to the Australian Office of the Information Commissioner, which is the new title for the Privacy Commissioner, and to the affected individual. That's going to change how businesses deal with privacy and how they respond to issues.
And importantly, the Privacy Commissioner now has got some real teeth. He can levy fines of $360,000 on individuals, and $1.8 million to companies.
Andy Scott: Okay, so they're quite substantial. This isn't something that can be swept under the carpet.
Mark Gardiner: Yeah. And the other thing that overseas experience is telling us is that there is a value attached to individual privacy. So if someone's privacy is breached, it could well end up in a class action. That's what's happened in the States in a number of places, and occasionally in Europe. And whilst the actual damage and the quantifiable amount may be quite small on an individual basis, on a class action basis, if there's been a very large breach of say, someone's entire database, then the class action sums could be quite large.
Adam Zuchetti: Are you finding a lot of the concern is pre-emptively about how to prepare for the new laws coming in? Or are a lot of people saying "Look, we're already experiencing this, this is a problem for us now, and we think this new legislation is going to make the problem even worse for us"?
Mark Gardiner: No, I think it's general confusion. It's really "What does this mean? What does this mean for me, and what do I have to do?" And we're starting to help companies get ready for that. Having policies and procedures in the event of a breach, but also bringing in some cyber security experts and looking at their systems and processes, to try and guard against a privacy breach.
Adam Zuchetti: Yeah. So every business is different, but there's gotta be some core facets that are quite common across the board, to ensure that compliance is met. Can you talk us through some of those?
Mark Gardiner: One thing we've discovered, surprisingly there isn't any core facet. It's really the key is, what is personal information? And how do you manage it? How do you secure it? How do you store it? Where do you store it? How do you access it? How do you control it?
And companies do all of that very differently, in terms of, where is the server? How secure is their server? What's the backup? What are their firewall securities? How good are the systems to prevent attack? Cyber-security can be breached through inadvertent means. So when they see a USB stick on a train, happened recently. Someone loses their laptop which is unencrypted, or has very poor encryption. Or it can be a very sophisticated denial of service attack, where someone is deliberately trying to get peoples personal information.
So the range is enormous in terms of what information is held by companies, and the way they hold it differs markedly.
Andy Scott: We're used to a lot of these big breaches that you read about and hear about in the media, of large organisations where they've got great volumes of private information; where you live, how much you pay, your bank details, credit card details. For a lot of SMEs, that's not necessarily the volume of data they are gonna have. What's the sort of minimum threshold of where it goes from you've just got someone's details, their name, up to, yeah now you're ... You would come under this privacy banner?
Mark Gardiner: The privacy act only applies to organisations that have $3 million dollars or more in turnover, or if their holding sensitive information. Sensitive information is broadly defined, but essentially health information, or things like political affiliations and the like. But a lot of small businesses deal with large businesses. And the large businesses are captured by the Privacy Act, and there are therefore contractual obligations imposed on the small businesses to protect the personal information.
So whilst it only applies to the, not micro businesses but slightly larger businesses, the contractual obligations make it apply far more broadly than most people think.
Andy Scott: So if you did business with a larger organisation, by that very nature you need to have the same levels of compliance that they would do?
Mark Gardiner: The contract will probably require you to do that.
Adam Zuchetti: Are the particular industries that are more susceptible than others?
Mark Gardiner: No I don't think there is. Most companies seem to have good security and processes around credit card information and how that's stored and dealt with. But it's that vast bulk of personal information that people hold essentially. Name, date of birth, physical address, possibly occupation. And then it's things like shopping histories. There's things like preferences, website databases, search, all those kind of things.
Most of us I think are oblivious to how little privacy we have. Tracking cookies popup all the time. Organisations can track where you go after you've been on their website. They can popup and give you tailored advertisements. And there's databases that are maintained around that. So privacy is very broad.
Adam Zuchetti: Are you finding that your clients are quite proactive in this space, and they understand the complexity and the need to address it? Or is there quite a degree of "I'm a smaller business; this doesn't really affect me?" And it kind of becomes forced on them in one way or another.
Mark Gardiner: No, look, our larger clients are very aware of their obligations, and they're now stepping in and making sure they've got good processes and procedures to comply with the new legislative requirements. It's the smaller businesses. Everyone's aware of privacy, and the obligations, but the detail is sometimes where they need guidance. Where they're not really sure what they should be doing. They key is then where do they go for that advice?
There's the legal piece, which is where we come in. "Here's some policies, procedures and systems." But then they need some technical support as well. Often a system audit is necessary, just to understand what they're doing and how they're doing it. 'Cause you don't really want to use the law firm because you have a problem. You want to use a law firm to help you not have a problem.
Nicole Billett: 'Cause there's some I think misconception as well around where insurance comes into play in this area. That there are certain providers saying "We can give you an insurance policy to help you in this cyber security space", but when you really dig down into those policies, unless you have your house in order, unless you have the systems in place, the processes in place, that insurance won't help you. So there's some confusion around there, and I think sometimes, particularly smaller businesses see insurance as a way of saying "Well I don't really know what I'm doing but I'll insure myself away from that risk" when in fact there's a really big hole in that relationship as to how that can help, or if it in fact will help.
Andy Scott: I was going to ask, a lot of people think that if I've got antivirus software, and I've got a firewall on my PC systems, I'm cyber-secure. I'm in the clear, I don't have to worry about this sort of stuff. What are the common failings that you see where security is breached in these smaller firms?
Mark Gardiner: The key weakness in any cyber security framework are the individuals. How easy are passwords to break? Phishing, in the sense that, P-H-I-S, is where someone can be tricked into disclosing their password, 'cause that can happen a lot.
If there is a sophisticated attack on a company, small to medium business in particular, they're very vulnerable no matter what mechanisms they have in place. Whilst I do an awful lot of cyber security law, I'm not the technical guy. We know really good technical people who get in and analyse systems and make sure the firewalls are secure, but having good policies and procedures around passwords, how often passwords should be changed, making sure people encrypt their laptops when they take them home, making sure they don't inadvertently disclose material to the internet, posting things they shouldn't post. Those kind of broad-brush policies and procedures.
Andy Scott: I think cyber security's very much like home security in many ways. If someone really wants to get into your house, they're going to get into your house no matter what security you have. If you're broken into at home, you know what to do. You call the police. If an SME thinks that there's been an attack on their firm, or they think that their security's breached, what are the first steps they should take?
Mark Gardiner: A number of key steps. The first one is to disconnect from the internet. Stop it continuing. Try and bring back the servers that are damaged. Contact CERT, which is a Commonwealth organisation. The AFP may be involved if it's a very serious breach. There are really step-by-step processes which should be documented. But the first thing is to have a documented plan.
Andy Scott: Are these processes that people should, if it's happened, because of this legislation, they think they might be up for trouble, they should try and hide?
Mark Gardiner: I think the bigger sin would be hiding than the breach. The mandatory reporting guidelines are that, they're mandatory. You've got a certain period of time in which to notify the commissioner, and a certain number of days in which you need to advise those people who've had their privacy breached.
Adam Zuchetti: Has that time period actually been established yet?
Mark Gardiner: 28 days.
Adam Zuchetti: 28 days, okay. Sticking on the ... I suppose the issue of cyberspace and things like that, but at a slightly different tack. Social media in particular has given rise to a lot of questions around defamation. If you say something that you shouldn't, and how do you deal with it, how do you take it back? What are the procedures that you can have in place for that?
From your perspective, is this a really big problem, and what can actually be done as preventative measures to protect yourself against potential claims?
Mark Gardiner: I think very simply, people need to be careful what they say. If it's posted on Facebook, if it's tweeted, if it's a comment on LinkedIn, it's publishing. So the statement has been published, which then brings it within the confines of the defamation Acts around Australia.
Defamation is a very difficult area of law. It's difficult to ... I'm just trying to think of the right words here. It's difficult to establish damage with defamation. There has to be a reputation that's been damaged. If someone's a public figure, if someone has some fame in the community, the presumption is that they have reputation which can be damaged. If you're defaming someone who is well known, then the damages are likely to be greater than if it's simply an argument between neighbours. But arguments between neighbours can end up in court, and there can be awards of defamation made.
Adam Zuchetti: What's the definition of, I suppose defamation, in terms of if you're presenting an opinion, how can it be judged that this is or is not defamatory?
Mark Gardiner: If a comment has the effect of damaging the reputation of an individual, in circumstances where it's untrue, and unsupportable, it can be defamation.
I should preface this by saying I'm not a defamation lawyer, and it's not an area of law that I do a lot of. We have had some instances where clients have defamed people. There's a defined process within the defamation act, and the first step is that the aggrieved person, which is the term, writes what's called a Letter of Concern. And at that time the defamer, for want of a better word, has an opportunity to apologise. Apologise, withdraw. And that can minimise the damage. There may well be a call for compensation at that point that can be resisted.
But importantly, if someone was to get a concerns letter, they would need to act upon it really quickly. Take down the offending post, and apologise profusely if things aren't true, or things have been overstated.
Adam Zuchetti: Particularly in social media though, it can be a customer posting a comment to a business’s own profile page. Who then is ultimately responsible for that?
Mark Gardiner: Can't generally defame a business. Individuals can be defamed, businesses generally cannot be. Now if the business is operated by an individual, there can be some exceptions. But to get online and complain bitterly about an experience you've had at a large shopping retailer for example, wouldn't be a defamation. There could be a course of action under the competition consumer law, but it's unlikely. It'd have to be sort of much more deliberate. But a really bad customer review, which sort of flames say a restaurant or a shop, not likely to be defamatory.
Adam Zuchetti: Let's move on to a different subject now, we'll look at the issue of property. Everyone, or virtually everyone, needs a premise from which to operate. What are the common legal problems that arise with particularly tenancies, I suppose.
Mark Gardiner: We see a number of things. The first one is not having a clear understanding of the obligations. If there's a retail tenancy, governed by the Retail Tenancies Act, and there needs to be a disclosure statement given by a landlord, which sets out in great detail what the obligations of the tenant is through the term of the lease. A lot of people don't take a lot of notice of those, but they should. Because what they do is, they're almost an executive summary of some of the key points in the lease. Tenants should be aware that they're liable for those obligations.
Importantly, what a lot of people don't understand, is that say they have a company and the company is renting the premises, it's not like a residential lease where if you want to get out of it you can just notify the landlord and you're out of it easily.
Commercial or retail lease, you have an obligation for the length of that term. So if you want to get out of it early, you then have to negotiate with the landlord about what happens to the balance of that term. If the landlord can get another tenant easily, then that can be the end of your obligations, and I'll come back to that. But if the landlord can't, then for however long those premises are empty, you're liable. And you must keep on paying the rent. Oftentimes there are directors guarantees, or personal guarantees, guaranteeing the obligations of the company that's a tenant. And so the individual's responsible for making sure that rent is paid. And there's often a bank guarantee, or deposit bond required, which can be called upon by the landlord.
Most people look at getting out of their rental premises when they're in financial trouble; sales haven't been what they hoped for, downturn in the economy, finding it really hard to compete with online businesses. So they're running out of money, so they're saying "Well I've got no option but I've gotta close my shop" for example, someone we had recently. But it doesn't end the financial obligations and it doesn't end the pain. We've seen people lose their house because of a lease they've signed.
We had one client who had a five year lease. After about a year and a half it was pretty clear that they weren't able to make enough money to pay the rent and feed their family. They battled on for six months and in about two years they closed the shop, having not paid the rent for about four months. So straight away there's large debt, and the lease had fairly substantial interest penalties for late payment. So then they're out of the premises, but the landlord's still chasing them for the money. And the landlord was trying to re-let the premises but couldn't. A year later, when the matter got to court, the premises were still empty and the person had a very large debt to pay to the landlord.
So people really need to think very carefully about going into rental premises for their business.
Adam Zuchetti: Do you find that a lot of clients think that they can handle this themselves, and don't seek the legal advice at the point of signing an agreement, when they really should be by the sound of things?
Mark Gardiner: Yeah they really should. It's important when looking at any complex legal document, to get advice. Now, I'm biassed of course, I'm lawyer. That's what I do. But from an individual’s perspective, if you're getting a 40 page contract, and that's what a lease can often ... it's very long and complex. You need to make sure you understand what the obligations are.
The other thing I didn't mention before in terms of problems, is "make good" requirements, or landlord contribution.
Adam Zuchetti: Yes, this is something I actually wanted to come to.
Mark Gardiner: Yeah. 'cause these can be some financial penalties as well. Sometimes landlords will incentivize people to come into their premises. And they'll do that by way of, say, a contribution to the fit-out. The lease will generally have a provision in there which says "If you leave early, you must repay that contribution." Or a portion of that contribution. And often it's a diminishing amount over the length of the lease. So if you wanted to leave early, not only do you need to make sure you can get another tenant and end your payment obligations, you may have to repay that initial contribution.
And then if you get to the end of a lease, and all has gone well, you then have an obligation to make good the premises. Which may involve re-carpeting, repainting premises.
Nicole Billett: Pulling out the entire fit-out.
Mark Gardiner: That happens. Some leases have a make good which require back to building base. So literally removing everything that's installed. Plaster walls, electrical cabling.
Adam Zuchetti: How much of this is actually negotiable from the outset?
Mark Gardiner: It depends on the landlord. Often it's not, often it's not. And if it's not, if it's in a really high demand area, or if it's a really popular site ... I guess I'm saying the same thing twice. Shopping centre leases are very difficult to negotiate. There's some very large shopping centre chains out there that aren't very amenable to negotiations. If it's a small individual owner of a shop, or office premises, they may be more negotiable. But it's important, even if it's not able to be negotiated, it's important to really understand the obligations that you may have before you sign the lease. Absolutely critical.
Nicole Billet: Because that way then, even as a business person, you know they're your financial obligations coming up the pipe maybe, so you can account for it. You can know "these are our plans longer term. We're thinking that we possibly may have outgrown these spaces in five years, so we do want to move on, therefore we need to accrue or provision for the fact that this expense will be coming up the lift", rather than just bumbling on and going "Well we're growing, things are great and moving on."
It can hit you whether you're growing or whether you're shrinking, in terms of knowing and understanding what those obligations will be under the lease.
Adam Zuchetti: Yeah, okay. But are there any other really key issues that come up in the SME space from a legal perspective?
Mark Gardiner: Debt recovery always looms large. People provide goods and services and sometimes they don't get paid. What do they do to get paid? Our starting point as a firm is to make sure that, if you're a provider of goods or services, that you really have a good engagement process. That you have good terms of sale, if you're selling goods, or a good agreement or contract if you're providing services. What are the obligations? What are you providing, what are they expecting? What are they gonna pay, when are they going to pay it?
You can go down a rabbit hole in terms of chasing money. Chasing money is difficult. It's expensive, it's time consuming, and you may lose. Or you may win, and still find that the person who owes you money doesn't have any. So you've spent a lot of money and time and trouble chasing a debt which is never going to be paid. So what we try and do is make sure our clients are setup well with good agreements, so that both parties to the agreement understand their obligations. And that can often avoid debt recovery issues.
And then when there are debt recovery issues, when someone isn't paying, then things like a friendly reminder is a good starting point. Then an overdue reminder. Then a final notice. So escalating the correspondence. And then we always recommend direct contact. At some point before you get really heavy with someone who owes you money, try and talk to them, rather than send them letters or send them emails. Give them a call, find out what the issues are. Maybe you can negotiate something at that point. And then sometimes a formal letter of demand from a good friendly happy law firm like us.
Nicole Billett: But we do tend to find that with lots of the dispute challenges that clients have shown us, when you get down to the nub of it, the scope of works or defining what the provider was going to provide to the purchaser, is so vague, that you can see why they've ended up in a pickle. That at that beginning, when you are negotiating what you're selling, how you're going to deliver it, timeframe, milestones, all of those really good procedural things that are required, can mitigate that possibility of ending up in that position.
And I think lots of businesses are really keen to satisfy and service clients, and they perhaps gloss over, or don't want to upset the applecart, at that point in the relationship by being a little bit too prescriptive about what they're going to do. But a pretty good robust conversation, and documenting it, and going "we're both really clear about who's doing what, and what happiness is going to look like for you at the end of this relationship" I think goes a long way to minimising the potential of trying to recover monies when clients are unhappy and they don't pay the final invoice and all those kind of things.
Adam Zuchetti: So that goes in terms of sort of minimising the risk, but if all that's in place and it still doesn't work, does it make a difference from a legal point of view if you actually have quite a defined and definitive contract in place, and all those terms are very specific, does that really help your case legally, to try and recoup that debt?
Mark Gardiner: Yes it does.
Nicole Billett: Definitely.
Mark Gardiner: Absolutely does.
Nicole: Best evidence wins, always.
Adam Zuchetti: Yeah, okay. So prevention's the best measure by the sound of things.
Mark Gardiner: Absolutely right.
Andy Scott: That feels like another entire podcast here.
Adam Zuchetti: It does, it does. So what's your website? If people have more questions on some of the things that we've covered, where can they go to?
Mark Gardiner: TeddingtonLegal.com.au
You can follow us on all the social channels, and until then we'll be back again next week. Thanks for tuning in.
Andy Scott: See you guys.