Commercial
Transactions
Module 7
Electronic Commerce
Summer Session 2011-12
©MNoonan2012
This presentation and Copyright therein is the
property of Maureen Noonan and is prepared
for the benefit of students enrolled in the
Commercial Transactions course conducted by
the Law Extension Committee and is available
for their individual study. Any other use or
reproduction, including reproduction by those
students for sale without consent is prohibited.
©MNoonan2012
In this module, we will firstly look at e-commerce in a
general way; reflecting on how the type of transactions we
have already looked at are affected by this medium.
-Contract formation, Sale of goods and services
Then we will look at some aspects of electronic commerce
vital to business:
-data management and security including privacy
-electronic methods used in legal proceedings
And lastly, a specific service-electronic banking and
payment methods-and an avenue of ADR.
As many commercial arrangements and transactions now
occur using electronic commerce, students are expected to
deal with issues arising in either a physical or virtual
©MNoonan2012
business environment.
What is e-commerce?
An exchange of goods, services, information or other assets
between suppliers and buyers facilitated by electronic means
Telephone, fax, videoconferencing
Sound, vibration, email
Barcodes and stocktaking recognition
Billing systems
Webpage display and advertisements
Accounting data transfer
Online sales
Data storage
Electronic data exchange
Intranets and extranets
Smartcards
Management Information Systems
Electronic orders, comparative searching
Automatic document production
©MNoonan2012
Electronic Commerce
We can see Electronic Commerce at work in many ways
- a communications perspective
- a business process perspective
- a service perspective
- an online perspective
- a transaction perspective
- a legal perspective
- a business-to-business and business-to-consumer
perspective.
©MNoonan2012
Communications Perspective
From a communications perspective, electronic commerce
is the delivery of information, products / services, or
payments via telephone lines, computer networks or any
other means.
When looking at the arrangements in place, we normally
look to contract law. For example, offer and acceptance
may occur electronically via the telephone, or an exchange
of emails or faxes. It can also be a service and ACL ss. 6063/(old s. 74 TPA)can be relevant.
©MNoonan2012
Communications
As well as communication between parties, we should
recognise the expanding role of electronic means to
disseminate information or communication between
multiple persons and networks.
FOCUS---- social networks
They pose problems for law enforcement-beyond
national boundaries---e.g.suspect name suppressed
but already widely known via Facebook (murder of
family at Kapunda)-they also provide new
opportunities-e.g. expanding investigative processes,
finding information and those with information, serving
legal process.
©MNoonan2012
Service on Facebook
In September 2010 Victorian police were asked to
assist in service of an intervention order where
an individual was being bullied via Facebook.
All papers etc were typed out into private
messages and sent to his account. In addition, a
video of Senior Constable Walton reading the
order was also sent.
©MNoonan2012
Liability and Social Media
If a business uses social media as part of its
marketing strategy, it needs to manage the risk
of liability for misleading deceptive or
defamatory words by
carefully monitoring the platforms (using
people with the appropriate skills) and
dealing with any dangerous material.
©MNoonan2012
ACCC v. Allergy Pathway
In 2009, ACCC took court action against a company for misleading and
deceptive statements. A number of orders were made including
undertakings by the company and its Director not to repeat the
statements.
In ACCC v. Allergy Pathway Pty Ltd (No2)(2011) FCA 74, the ACCC
again took action for contempt of court for material published on their
website and publication on Twitter by means of links (admitted) and
for testimonials posted by clients on the “wall” and “fan” page Allergy
had set up on Facebook (denied).
Federal court found Allergy had published the testimonials because it
knew of the testimonials and although Allergy and the Director Kerr
could have removed them, they did not.
Fined $7,500 each and ordered to pay ACCC’s costs and extensive
orders for corrective advertising, including on Facebook and Twitter.
©MNoonan2012
Social Media Policy
Do businesses need a Policy? Many believe they do and have
implemented them. E.g. Telstra
“In brief, the 3 Rs ask that when engaging in social media you be clear
about who you are representing, you take responsibility for ensuring
that any references to Telstra are factually correct and accurate and do
not breach confidentiality requirements and that you show respect for
the individual and communities with which you interact”
What if employees give away information, discuss business, staff,
management on social media?
What if employees put enterprise at risk of legal action?
©MNoonan2012
Business Process Perspective
From a business process perspective, electronic
commerce is the application of technology to the
automation of business transactions and work flows…e.g.
ordering processes, payments, machine software.
In order to analyse the process/transactions for legal
purposes, we need to understand what is being achieved,
the steps and the relationships.
If a new way of doing something, it may be IP, protected
by Copyright and/or be entitled to a Patent. E.g.
Amazon.com ordering system, subjects of
Apple/Samsung patent disputes.
©MNoonan2012
Service Perspective
From a service perspective, electronic
commerce is a tool that addresses the desire of
firms, consumers and management to cut
service costs while improving the quality of
goods and increasing the speed of service or
delivery.
©MNoonan2012
Online Perspective
From an online perspective, electronic commerce provides
the capability of buying and selling products, services and
information on the internet.
This can save businesses from having the costs and
inconvenience associated with physical premises and permit
them to have a much wider reach. By use of logistical
services….transport and storage…that need not be
theirs….they can have large operations and cover wide
areas more easily than formerly. They can also sometimes
do things which were not possible /very difficult before-e.g.
online auctions, avoid GST. There can also be new dangers
for business e.g. Hacktivism, loss of information/data.
©MNoonan2012
Legal Perspective
From a legal perspective,
 When does an electronic signature suffice?
 Consumer protection in relation to business-to-consumer
transactions or business-to-business (small business)
transactions carried out electronically.
 Evidence Act provisions about best evidence. Other evidentiary
Matters including elements of contract formation, attribution of
electronic conduct and Intellectual property issues
 Applications to court and other dispute resolution processes e.g.
Electronic service, electronic discovery, gathering information,
publicising/linking participants in class action proceedings,
remote proceedings, evidence by videolink and decisions.
©MNoonan2012
E-Commerce - Contract Formation








Ways of forming contracts
Exchange of written correspondence by post, fax
Oral in person or by telephone
Written formal agreement or Exchange of emails
Acceptance of an offer by conduct
Types of Contracts
Sale/supply of physical goods
Licences (e.g. software,music,film)
Supply of services…banking, shares, advice.
Combination contracts
©MNoonan2012
Reflection point
Consider eBay auctions/transactions.
Does eBay provide a platform or participate?
Who is the contract between?
Some differences with physical auctions-e.g. no physical
presence to check bona fides or conducted ethically,
sometimes over a considerable period, proxy/maximum
bids enable online system to place bids, anonymity of
sellers/buyers etc.
A problem can be enforcement of a contract
©MNoonan2012
Peter Smythe v. Thomas (2007) NSWSC 844
PS bid $150,000 for a 1946 Wirraway plane, one of only 5 in the world
still flying. T refused to deliver as he had changed his mind and sold
to another buyer for $250,000. He argued there was no contract to
enforce between PS and him because the only contracts were
between each of them and eBay.
Court ordered T to complete the sale-granted specific performancebecause it found a contract between them based on the eBay
rules.. Court examined eBay Rules…”if you receive at least one bid
at or above your stated minimum price (or in the case of reserve
auctions, at or above the reserve price), you are obligated to
complete the transaction to the highest bidder upon the item’s
completion”. Offer accepted when PS made highest bid, even
though payment terms had not yet been concluded. Auction and
therefore a sale of goods. Court also intimated that eBay was agent
of Vendor and therefore under an obligation to monitor and
superintend the conduct of vendors.
©MNoonan2012
Decisions outside Australia
Note that there had been various inconsistent
overseas decisions re obligations of eBay
concerning the sale of counterfeit items
US-Tiffany (NJ) In. v. eBay Inc
-Lars Gentry v. eBay Inc - fake sports memorabilia
Germany-Rolex SA v. eBay GmbH 2004
France- eBay v. Dior LV 2008
©MNoonan2012
Effect of Peter Smythe decision re consumer
protection
Because online “auctions” were auctions, they
were excluded from TPA protections.
See now ACL –e.g. s. 54…guarantee as to
acceptable quality….sale by auction
excluded…definition of “sale by auction” in s.
2…in relation to the supply of goods by a
person means a sale by auction that is
conducted by an agent of the person (whether
the agent acts in person or by electronic means)
See s. 60 SOGA.
©MNoonan2012
EcommerceSubject to the same laws as physical transactions
Some need for special legislation
Electronic Transaction Acts from about 2000.
In 2010 a model Electronic Transactions Act was agreed to
by all State and Territory Attorneys General and the
Commonwealth Attorney General and relevant amendments
passed to existing Acts.
The laws post 2010 reflect the most recent UN convention
on the use of electronic communications in business, are
meant to ensure rules are consistent to support growth of ecommerce
Electronic Transactions Act 1999 –Commonwealth
Electronic Transactions Act 2000-NSW
©MNoonan2012
Electronic Transactions Act 1999 Cth
Electronic Transactions Act 2000 NSW
The following requirements imposed under NSW law can
generally be met in electronic form--A requirement to give
information in writing, to provide a signature, to produce a
document, to record information, to retain a document.
Provision is made for determining time and place of
dispatch and receipt of electronic communication.---NSW s.13,13A,13B Cth s. 14,14A,14B.
Originator only bound if sent by, or with authority of,
purported originator. NSW s.14 Cth. s. 15
©MNoonan2012
Electronic Transactions Acts
Contain provisions which clarify:
An unaddressed proposal to form a contract is to
be regarded as an invitation to make offers
rather than as an offer that if accepted would
result in a contract
A contract formed automatically not invalid, void or
unenforceable because no human review or
intervention
©MNoonan2012
Electronic Transactions Act 2000 NSW
Time of dispatch s. 13
(1) For the purposes of a law of this jurisdiction, unless otherwise
agreed between the originator and the addressee of an electronic
communication, the time of dispatch of the electronic
communication is:
(a) the time when the electronic communication leaves an
information system under the control of the originator or of the
party who sent it on behalf of the originator, or
(b) if the electronic communication has not left an information
system under the control of the originator or of the party who sent
it on behalf of the originator-the time when the electronic
communication is received by the addressee. (where parties use
same system)
(2) Subsection (1) applies even though the place where the
information system supporting an electronic address is located
may be different from the place where the electronic
communication is taken to have been dispatched under section
13B.
©MNoonan2012
Electronic Transactions Act 2000 NSW
Time of receipt s. 13A
(1)


(2)
(3)
For the purposes of a law of this jurisdiction, unless otherwise agreed
between the originator and the addressee of an electronic communication:
(a) The time of receipt of the electronic communication is the time when
the electronic communication becomes capable of being retrieved by the
addressee at an electronic address designated by the addressee, or
(b) the time of receipt of the electronic communication at another
electronic address of the addressee is the time when both:
(i) the electronic communication has become capable of being retrieved
by the addressee at that address, and
(ii) the addressee has become aware that the electronic communication
has been sent to that address.
For the purposes of subsection (1), unless otherwise agreed between the
originator and the addressee of the electronic communication, it is to be
assumed that the electronic communication is capable of being retrieved
by the addressee when it reaches the addressee’s electronic address.
Subsection (1) applies even though the place where the information
system supporting an electronic address is located may be different from
the place where the electronic communication is taken to have been
received under section 13B
©MNoonan2012
Electronic Transactions Acts
Issues
What is an electronic communication?
What is an information system?
Who is the originator?
Who is the addressee?
©MNoonan2012
What is an information
system?
Contrast
Smith FM in American Express Ausralia
Limited v. Michaels [2010] FMCA 103,
paras 26,27,28 with
Associate Justice Macready in Reed v. Eire
[2009]NSWSC 678 paras 29-35incl.
©MNoonan2012
NOTE that there are exceptions to the general
rule that electronic communications are
equivalent to physical by virtue of the
Electronic Transactions Acts
e.g. Insurance Contracts Act
The Insurance Contracts Act specifies that some communications must be in writing. Most
provisions impose obligations on the insurer to advise the insured of something in writing
(ss.22,35,37,39,40,44,49,58,62,68 and 74).s,69 permits oral information, provided later
given in writing.
The ETA 1999 (Cth) provides that in general where a commonwealth law requires a notice
in writing, it may be given by electronic means provided that the recipient consents.
However, the ET regulations exclude the ICA from the scope of these provisions!
Because of the seriousness of some of these notices e.g. cancellation, in a Treasury review
of the ICA in 2004, a recommendation was made that E communications be possible with
consent and provided a record could be printed.
Land/conveyancing contracts
See Regulations to the Acts
©MNoonan2012
E-commerce
Is there a valid Contract?
Valid offer?
 Wording and display?. Limits? Systems?Interactive or active site?
 Automated interactive sites? Vending machines…offer made when
proprietor holds it out as being ready to receive money. Contract formed
when consumer places money into the slot and selects item.
Acceptance?
 Effective at the time communicated to offeror. When is it communicated?
Email?Instantaneous? Press Send, goes to ISP, goes via a number of
servers and received when recipient logs on and downloads. May go
around the world to get to the next building. Is it similar to the postal
system? Difficulties with certainty in time of communication.EDI is
instantaneous. Fax? What if noone there to receive it?
Intention to create legal relations? Capacity?
Consideration?
Terms are certain?
©MNoonan2012
Discussion point
Can eBay change the terms and conditions
of its contract by posting a notice on its
Website?
See eBay terms of use
©MNoonan2012
Shrinkwrap, Clickwrap and
Browsewrap licences
Usually encountered when purchasing
(shrinkwrap) or downloading and using software
applications and electronic information
distributed online (clickwrap and browsewrap)
Shrinkwrap…on the clear plastic wrapper
Clickwrap…I agree button
Browsewrap…appears on site somewhere…by
using this site….you agree etc…
©MNoonan2012
Shrinkwrap
Quite often order is made by phone and company promises
to send the item. Contract usually formed when order
made, accepted, payment etc, and cannot add terms
later. However, may be situation where on consider and
agree/or return basis…sophisticated user with knowledge
usual terms…licence terms shown each time program
loaded with offer of refund if not acceptable….
If terms desired, need to be made known and agreed to by
contracting party at time of contract…conditional on
acceptance…return possible?
©MNoonan2012
Good rap for browsewrap in USA:
Register.com Inc v Verio Inc
Authors: Leaellyn Rich and Irene Zeitler of Freehills
Agreement to terms and conditions?
Decision affirming the enforceability of browsewrap
licences, the U S Court of Appeal for the Second
Circuit has upheld a preliminary injunction issued
against Verio Inc. (Verio), a website developer and
hosting firm, for breaching the browsewrap-style
terms of use for the services of the plaintiff,
Register.com (Register): Register.com Inc v Verio
Inc . 356 F. 3d 393 (2d Cir. N.Y. 2004), 2004 U.S.
App. LEXIS 1074.
©MNoonan2012
Facts in Verio
Register, a provider of domain name registration services, had agreement with
Internet Corporation for Assigned Names and Numbers (ICANN). Register was
required to maintain and update a publicly available 'WHOIS' database of
registrants' contact information, was not to impose restrictions on use of this data,
except re electronic spamming. Register established a WHOIS database, which it
updated on a daily basis, and provided a free public inquiry service for the
information contained therein. Register's responses to WHOIS queries were
captioned by a 'legend' stating that by submitting a query, the user agreed to
refrain from using the data to conduct mass solicitations of business by email,
direct mail or telephone (a more stringent restriction than that envisaged under the
ICANN Agreement, which was only in relation to the restriction of mass solicitation
by email).Verio developed automated software program or 'robot' (Robot) to
access WHOIS database and compile massive lists of new registrants whom Verio
then subjected to a barrage of unsolicited marketing by email, direct mail and
telephone.Register demanded Verio stop, but Verio only partially complied,
ceasing email solicitations, but continued direct mail and telephone. Register sued
for breach terms.Verio argued not contractually because it never received legally
enforceable notice of Register's conditions as the restrictive legend did not appear
©MNoonan2012
until after Verio had submitted the query and received the WHOIS data.
Decision in Verio
Court upheld the preliminary injunction, concluding that online contracts do not
always require formal acceptance by the offeree. In the circumstances, Register's
browsewrap-type terms of use, combined with Verio's actions in repeatedly
accessing the WHOIS database constituted a valid offer and acceptance, thereby
resulting in a legally enforceable contract.Court distinguished case Specht. Court
also disagreed with the Ticketmaster, expressly rejecting that terms were
unenforceable because user had not clicked an 'I agree' icon:
'[w]e recognize that contract offers on the Internet often require the offeree to
click on an "I agree" icon … no doubt in many circumstances, such a statement
is essential to the formation of a contract. But not in all circumstances...It is
standard contract doctrine that when a benefit is offered subject to stated
conditions, and the offeree makes a decision to take the benefit with knowledge
of the terms of the offer, the taking constitutes an acceptance of the terms,
which accordingly become binding on the offeree.'
Particular significance was attached to the fact that Verio was a commercial entity
that was making numerous, successive inquiries of Register's database, as a
result of which it had become well aware of the terms exacted by Register.
©MNoonan2012
Implications of VERIO US decision
As electronic commerce has developed, courts have been confronted
with the task of applying age-old principles of contract law to various
online permutations of the classic idea of agreement between parties.
While, in recent years, courts have become comfortable with enforcing
agreements supported by 'clickwrap' procedures, Verio is an authority in
relation to the enforceability of 'browsewrap' or 'Web wrap' agreements.
This case helps to elucidate contract principles as they apply to
browsewrap agreements and, in particular, clarifies the circumstances in
which the provisions of browsewrap agreements will be held to be
enforceable. Although Australian courts are not bound by American case
law, the decision in Verio provides a useful guide as to how an
Australian court might deal with the issue.
©MNoonan2012
Specht v Netscape Communications
Corp., 306 F.3d 17 (2d Cir. 2002),
The Court declined to enforce terms specified by Netscape
against a user of Netscape's software due to insufficient
evidence that the user had seen the terms when
downloading the software. The terms of Netscape's offer of
software were posted on the website from which the user
downloaded the software. However, the user would not
have seen them without scrolling down their computer
screen, and there was no reason for them to do this.
©MNoonan2012
Ticketmaster Corp. v Tickets.com Inc.,
No. CV99-7654, 2000 U.S. Dist. LEXIS 12987, 2000 WL 1887522
The Court, noting that the taker of the information was not
provided with an 'I agree' icon to click (although fully
aware of the terms on which information was offered on
Ticketmaster's site), concluded that there was insufficient
proof of agreement to support a preliminary injunction.
The Court Verio commented that '[u]nder the
circumstances of Ticketmaster, we see no reason why the
enforceability of the offeror's terms should depend on
whether the taker states (or clicks), "I agree".'
June, 2004
©MNoonan2012
Unconscionability, Unfairness and
Standard terms used in
ecommerce contracts.
Consider the application to:
 Choice of law clauses
 Arbitration clauses
 Forum clauses
 Payment/fees clauses
 Term of contract/renewal clauses
 Resulting damage
©MNoonan2012
ACL s. 18/S.52TPA and e-commerce
misleading or deceptive conduct
Consider also ancillary liability ( aids, induces, conspires, knowingly concerned) e.g.
executives or salespeople, manufacturers, retailers associated with a particular transaction.
See expansion in ACL... As long as some conduct taken place in Australia,
can involve T&C between Australia and overseas. Where were the
representations made?..relevant conduct… not the state of mind.
No need for an active representation. Can be silence e.g. incomplete
information, changes not noted or where reasonable expectation of
information.
Examples of possible problem areas:
Advertising
Website design, logos, product description,Domain names
Metatags and cyberstuffing-keywords to attract search engines
Linking and framing
Distributing software without permission
Contract terms
©MNoonan2012
Jurisprudence of TPA still relevant to ACL because
provisions almost* the same
Misleading and deceptive conduct
Taco Bell Inc. v. Taco Bell P/L (1982) 42 ALR 177
4 step approach to whether conduct is misleading and deceptive in all
the circumstances
(1) Identify relevant section of public who may be mislead/deceived.
(2) What is effect of conduct on all those within that section…would a
reasonable member of that section be mislead?
(3) Evidence that consumers are in fact suffering from a misconception
may be persuasive but is not essential
(4) It must be established that the misconception has arisen as a result
of conduct complained of and not some other factor
NOTE that intent of defendant not relevant and not enough to cause
mere confusion. Conduct must actually mislead or deceive or be likely
to…different to passing off action where confusion enough.
*extended to person and not just corporation, T&C expansion.
©MNoonan2012
Sales of goods over the internetterms and conditions
Results of a survey of on line retail sites by ACCC 2004
Terms and conditions compulsory viewing
Require positive consent before completion
Written contract easy to find
Clause attempting to disclaim warranties in breach TPA
Clause attempting to limit liability
Clause attempting to limit responsibility for inaccuracy
Clause stating that use of site is agreement to T&C
Both clauses attempting disclaimer warranties
and limits to liability
14.7%
32.80%
17.4%
50.9%
66.00%
54.3%
48.7%
43.8%
70% of online sites surveyed raised concerns for ACCC
©MNoonan2012
Foreign web scheme banned
Peter James and Andrew North of Allens Arthur Robinson
Example also of ACCC and FTC co-operation
ACCC case against US based SkyBiz.com Inc, illustrating that web-based
activities can be subject to laws where information accessed, not just the law of
home country operations..
ACCC alleged in Federal Court that SkyBiz.com Inc contravened TPA 61 through
its operation of a pyramid selling scheme and had engaged in misleading and
deceptive conduct and referral selling, prohibited by ss. 52, 59 and 57.SkyBiz.
consented to orders that:The Skybiz scheme was a pyramid selling scheme.
Skybiz represented the scheme could be used to engage in ecommerce when it
could not; SkyBiz attempted to induce people to take part by representing that
those who joined would later receive money if they introduced new consumers,
contingent on those new consumers recruiting further consumers, thereby
engaging in referral selling.SkyBiz represented the scheme would be a profitable
business for all persons who took part and could be carried on at/ from, their
home, when in fact this was not the case, thereby making false or misleading
representations and SkyBiz attempted to induce persons to take part by
representing that those who joined would later receive payments.
©MNoonan2012
Sales of goods over the Internet
Same as physical sales plus some
Goods to correspond with description
Do the goods delivered correspond with
description, picture?
Important to check pictures and descriptions to
make sure they match those delivered.
Any tendency to vary should be clearly noted on
site so as to be clear to the customer prior to the
decision to purchase being made.
©MNoonan2012
Sale of Goods Act
Fitness for Purpose
Has the customer made known, expressly or impliedly, the
purpose to the Vendor?
Expressly
Ordered by description?
Surrounding negotiations?
What is the usual purpose?
Impliedly
One purpose only?
Advertised as being appropriate for particular purpose?
©MNoonan2012
Sale of Goods Act
Merchantable Quality
As people do not see goods before they
buy when bought over the Internet,it will
be particularly important to point out any
defects.
Note Grays auction site. When they sell
factory seconds, they list some or all of
the faults, a note that they have not been
properly assessed, no warranty etc.
©MNoonan2012
Sales over the Internet
Australian Consumer Law
Note the difference in approach in the Australian
Consumer Law, such as:
Guarantees, rather than implied terms.
Acceptable, rather than merchantable quality.
Unfair terms in standard form contracts.
©MNoonan2012
Sale of Goods over the Internet
Capacity
Normally there is a presumption at common law, that a person who
enters a contract has full capacity to do so. Some exceptions for those
under a disability-might include minors (under 18), mentally disable,
drunkards, bankrupts.
It is impossible to be sure of identity of Internet Customer.
Consider the situation with Minors:A contract made by a minor is “voidable”, at the minor’s option. One
exception involves “Necessities”-food, clothing, education or
goods/services fit to maintain them in station of life in which they
move. Even so, unenforceable if contains harsh, unreasonable terms
or price is unreasonable.
Burden of proof with supplier.
What is the situation with “Luxury items”? CDs, computer games?
©MNoonan2012
Sale of Goods over the Internet
Purchase by a minor
The minor uses their own debit card
The account would be debited before goods received. Therefore, once,
goods received, minor would have to litigate to recover the money.
However, if they changed their mind prior to delivery and informed
supplier they wished to withdraw, the supplier would not be able to rely
on contract terms and conditions. Minor would be entitled to a full refund.
The minor uses adult debit/credit card without permission
Should be treated same as if card stolen. When adult becomes aware,
might choose to ratify; in which case contract would be with adult and
fully enforceable. If they denied validity, child could be prosecuted for
theft. Credit company would most likely seek to recover the money and
the supplier would lose out.
The minor might be obliged to pay after receipt of goods
Seller could not enforce contract to recover money. Unless fraud, they
could not recover the goods either.
©MNoonan2012
Sale of Goods over the Internet
Sale by a minor
In NSW law has altered CL position and is different to that in the other
States.
See the Minors (Property and Contracts Act) 1970.
 If for their benefit, it is presumptively binding
 The Supreme Court can make an order granting them capacity
 A minor cannot enforce a contract that is not presumptively binding
 On reaching 18, minor can affirm an act they participated in during
minority
 On repudiation, courts have wide discretion to produce a fair result.
 Where a disposition of property occurs and minor receives at least part
of consideration, it is presumptively binding.
©MNoonan2012
Protection of IP in electronic
commerce
Issues to consider:
Ease of copying
Ease of manipulation once copied. Can have positive
outcome-use of that information to spur creativity.
Hacking and hacktivism
Loyalty of staff, customers and Leaking
Note copyright and royalty issues highlighted by music
publishers, electronic books….
Development of new technology and new businesses…e.g.
tablets with apps, text books recorded so students can
listen on their ipod instead of reading, cloud storage,
comparison shopping, analysis.
©MNoonan2012
Data Management
Emerging legal problems
Potential legal liability arising from
Unauthorised access to systems/data by third parties
Accidental data leakage
Unauthorised access and use of data and systems by
internal users.
Loss of availability of physical assets e.g. theft of laptops,
malicious code attacks
Loss of availability of data
Loss of availability of services
Loss of data integrity
©MNoonan2012
iPhone v. BlackBerry
taken from an article by Dylan Welch smh Oct 20,2010
Global obsession with the iPhone is not only becoming a
threat to security; an entire criminal industry has sprung
up around it, says the head of the Australian Crime
Commission (John Lawler).
Rapidly replacing the BlackBerry, but unlike it and other
smartphones, the iPhone does not allow a company’s IT
staff to install and upgrade its own security software,
leaving business networks at risk of penetration.
Criminals were finding more and more opportunities to
use it to intrude, steal and defraud. Even the desire for
the phone is creating a burgeoning black market.
©MNoonan2012
Data Management
Potential legal liability
Misleading and deceptive conduct example:
Theft or leakage of credit (or debit) card information
resulting in online fraud.
Was there an implied representation that X had taken the
security measures required by industry practice to
safeguard personal and financial information?
US example of TJX
Consider also the Vodafone situation in January 2011 and
other examples (e.g.Telstra) in Australia of lax security
and controls leading to loss of personal data.
©MNoonan2012
Vodafone
“Sitting in a western Sydney business with a
laptop and someone who knew a login for
Vodafone’s customer database, I handed over my
mobile number to be punched …in seconds, we
could see all my personal details…my full name,
address, driver’s licence number, date of birth, the
pin number to access and change details…my
entire call list…was visible…”
Natalie O’Brien Sun Herald January 9, 2011
©MNoonan2012
From the news….
SMH 20 January, 2011
The detailed records of thousands of UoS students past
and present are being stored online where they can be
easily downloaded and read via an internet
connection…reported that UoS was told about this
security problem in February 2007, but did not move to
rectify it. The website was sabotaged weekend of 15/16
January.
NSW acting privacy commissioner John McAlteer said it
indicated a breach of s. 12 © of the NSW Privacy and
Personal Information Protection Act 1998.
©MNoonan2012
TJX example-facts
TJX was a retail chain with 3,500 stores. In Dec 2006, it disclosed that
hackers had gained unauthorised access to its computer and
customer credit and debit card records had been compromised.
Hackers first accessed July 2005 and intrusions undetected for 18
months, during which time 45 million records stolen-credit card
details, drivers licence numbers, social security numbers of 451,000
TJX customers.
Hackers exploited one initial weakness and then built from there…weak
wireless protocol used to transfer data between hand held price
checking devices, cash registers and main computer. Hackers sat in
a car park close to a store and used basic equipment. Also weak
firewall and failure to implement further security equipment available.
Data sold on the internet and used by online fraudsters from
Sweden, Ukraine, Turkey, Australia, HK and Mexico.
2 class actions-by consumers and by issuing banks
©MNoonan2012
Data Management
Potential legal liability
A credit card transaction:
Merchant
Acquiring Bank
Consumer
Credit
Card Co
Issuing
Bank
*Diagram from Gifford, Information Security Managing the Legal Risks, CCH
©MNoonan2012
A credit card transaction
1. Consumer uses a credit card to pay for a purchase with merchant.
2.
3.
4.
5.
6.
The card has been issued to consumer by a financial institution
(“issuing bank”) e.g. ANZ
Merchant sends consumer account info to bank that handles all
merchant’s transactions (“acquiring bank”) for validation
Acquiring bank sends info to issuing bank for payment authorisation
via networks operated by Visa or Mastercard.
Issuing bank authorises transaction and remits funds to acquiring
bank.
Acquiring bank remits funds to merchant
Issuing bank bills consumer and consumer pays issuing bank
©MNoonan2012
A credit card transaction
Contractual relationships?
Acquiring bank with Mastercard and Visa
Acquiring bank with Merchant
Consumer and Issuing Bank
No contractual relationship between consumer and
Mastercard, or Issuing Bank and
Mastercard/Visa
©MNoonan2012
TJX example-legal actions
By Issuing Bank
Issuing banks had no idea transactions were fraudulent and so paid out,
but unable to recover from customers because they had not made
purchases.
As well as losses from fraudulent transactions, issuing banks incurred
millions of admin costs in replacing compromised cards and
providing enhanced monitoring of compromised customer accounts
No realistic prospect of targeting fraudsters
Original hackers never found
No legal basis for recovery against Mastercard or Visa
Action taken against TJX and Acquiring Bank-breach of contract,
negligence (dismissed), misrepresentation and violation of
Massachusetts General Laws Chap 93A.
Settlement reached USD65M
©MNoonan2012
TJX example-legal actions
By Consumers
Class action against TJX for “distress” at prospect
and risk of identity theft. Loss had been
absorbed by their issuing bank.
TJX agreed to provide consumers with vouchers,
cash, credit monitoring services, identity theft
insurance and reimbursement of proven out of
pocket expenses (e.g. replacing licences).
Total cost (USD 10-20m)
©MNoonan2012
Industry practice
Is there a relevant standard?
Was there an implied representation that X had taken the
security measures required by industry practice to
safeguard personal and financial information?
In this situation there is the Payment Card Industry Data
Security Standard (PCI DSS), a security standard
developed and administered collectively by the leading
credit card companies (Amex, Visa, Mcard, Diners, JCB)
Is it reasonable to infer organisations impliedly rely on
other organisations accepting credit card payments
taking appropriate security measures?
©MNoonan2012
Confidential information
Theft or leakage of confidential information
Was there a contract to safeguard info?
If so, may be action for breach of contract.
If not, may be negligence or express or implied
representation that security measures in place.
Should one check that they are, or make it a term of
a relevant contract, …..as an aspect of risk
management when negotiating a contract?
©MNoonan2012
Other potential liability
Directors and Officers
Corporations Act-duty of care and diligence…discharge their duties
with the degree of care and diligence that a reasonable person
would exercise if there were a director in the corporations
circumstances.
Company operating online-Duty?
ASIC v. Macdonald (No 11) NSWSC287-James Hardie-a
Director/Officer with specialist skills will be judged differently to one
without.
Note business judgement rule-good faith, proper purpose, no personal
interest, informed judgement and believed rationally it was in best
interests of company.
Duty owed to company, not world at large. Note increase in actions by
Shareholders.
©MNoonan2012
Other potential liability
CRIMINAL
Consider Wikileaks situation and calls for criminal
prosecution
Australian Cybercrime Act 2001
VICARIOUS LIABILITY
Employer for employee actions e.g. sexual
harassment or discrimination by offensive
emails, text messages, pictures
©MNoonan2012
Privacy
“Privacy is dead-get over it…”
said CEO Sun Microsystems in 2000
Concept relates to individuals and not organisations
Limited protection in Australia under Cth Privacy
Act. (Also NSW Privacy and Personal Information Protection Act 1998.)
Focus is conciliation between aggrieved individual
and organisation rather than compensation
If conciliation not possible, Privacy Commissioner
can make a “determination” which can include
compensation-but rare and modest to date.
Therefore, provides no incentive to improve.
©MNoonan2012
Privacy Principle 4 of NPP
We will consider only privacy in connection with
information security.
NPP apply to private sector organisations.
Information Privacy Principles (IPPs) apply to
public sector agencies.
©MNoonan2012
Privacy Principle 4 of NPP
Data Security
4.1 An organisation must take reasonable steps to
protect the personal information it holds from
misuse and loss and from unauthorised access,
modification or disclosure
4.2 An organisation must take reasonable steps to
destroy or permanently de-identify personal
information if it is no longer needed for any
purpose for which the information may be used
or disclosed.
©MNoonan2012
Privacy Act Compensation
Rare and miniscule
Rummery v. Federal Privacy Commissioner (2004) AATA
1221
Whistleblower at ACT Dept of Justice. DOJ sought to
discredit Rummery by relating information of a personal
nature to Ombudsman. Flagrant attempt by senior public
servant to discredit a whistleblower.
AAT found conduct a “serious breach” of Privacy Act but
awarded only $8,000.
©MNoonan2012
New statutory tort?
Emerging Common law remedy?
ALRC and NSW Law Reform Commission have
both recommended introduction of new
statutory cause of action for “tort of serious
invasion of privacy”.
May emerge incrementally in the common law
due to indications in various HC cases
©MNoonan2012
“Mobile Security Outrage-private phone details of
millions accessible over the Internet”-Vodafone
Sun Herald 9 January, 2011
Customer information accessed through a secure web portal accessible to
authorised employees and dealers via a secure login and password.
Unauthorised use of password and then sharing of information?
Because customer database is not an intranet and instead is on internet users
with a password can log in from anywhere and access any customer
information-name, address, driver licence number, D.O.B., pin number to
access and change details on account, call list.
Up to 4m customers affected. Potential exposure for customers?-criminal
activity, identity theft, spouses checking up on each other.
Already a 12,500 customer class action against Vodafone over service issues.
Best legal remedies for customers?
©MNoonan2012
Electronic Dispute Resolution
Various procedures can be carried out electronically
Some dispute resolution tribunals etc choose electronic
proceedings e.g. Domain Name disputes.
Some Arbitrations reliant on documents can be carried out
remotely and thereby lower costs.
Our courts regularly use various electronic methods-for
service (e.g. on parties via their Lawyer, or if personal
service not feasible on respondent’s Facebook page),
discovery, videoconferencing for overseas witnesses or
parties.
©MNoonan2012
Electronic Banking
Specific study of one type of ecommerce we all use
and which is vital in commerce
Our focus is:
Consumer liability. When will we be liable for
problems/loss in electronic banking (Cl 5 EFTCC)?
Dispute Resolution mechanisms-Internal and (Cl
10 EFTCC) and external (Ombudsman).
©MNoonan2012
Credit Cards & Electronic Banking
Contract between Banker and Customer
Students are expected to have a good working
knowledge of the terms and conditions of a bank
customer contract for electronic banking, credit
cards, internet banking, the application of sections 5
and 10 of the Electronic Funds Code of Conduct to
them, and be able to work through and resolve a
problem with such services.
The EFT Code of Conduct is available on the FIDO
section of the ASIC website.
Useful summaries and copies of policy guidelines for
the Financial Services Ombudsman are available on
their website.
©MNoonan2012
CREDIT CARDS and ELECTRONIC BANKING
Contract between Banker and Customer
Contract may consist of more than one set of
terms and conditions and terms may be implied by other instruments or
by Statute.
See: Electronic Banking Conditions of Use / Terms and Conditions
Note that there are frequent variations from time to time for both
Code of Banking Practice (disclosure mostly)
Electronic Funds Transfer Code of Conduct (especially 5 & 10)
See also:
ASIC Act-misleading and deceptive conduct
Contract Review-harsh/unconscionable
Tort
Negligence
Misrepresentation
Dispute Resolution Methods
Internal-See Terms&Conditions of Contract and Codes of Conduct
External-See Financial Services Ombudsman
Court
Other
©MNoonan2012
EFT Code
What information do you have to be given and when?
You are entitled to a copy of the contract (Terms and Conditions).
The account institution must give you the contract at the time of or before
you use a new way of accessing your account.
Your account institution must give you certain information about your new
card or PIN and include information about fees, restrictions, accounts that
can be accessed, how to report loss, theft or unauthorised use, and how to
make a complaint.
If the account institution changes the rules, they have to tell you about it at
least 20 days before they take effect.
If you deposit, withdraw or transfer money electronically, the account
institution must offer you a receipt showing the date of the transaction, the
type, accounts and amounts involved and location of the transaction.
©MNoonan2012
EFT Code cont.
What happens if there is an unauthorised transaction
on your account?
- There is an obligation to check your statements.
- Contact your account institution as soon as possible.
- There will be some instances where you will be liable for
them, and others where you will not be, and some in
between; where you will be liable to a limited extent.
©MNoonan2012
EFT Code cont.
When will you get your money back for authorised transactions?
When:
- there is fraudulent or negligent conduct by employees or agents of the
account institution;
- a forged, faulty, expired card, PIN or password was used;
- the transaction took place before your received your card, PIN,password;
- a merchant incorrectly debited your account more than once;
- the transaction took place after you told your account institution your card
had been stolen or lost, or someone else may know your PIN or password;
- no PIN or password was required to conduct the transaction;
- it is clear you have not contributed to the loss;
- the account institution expressly authorises the conduct.
©MNoonan2012
EFT Code cont.
When you will not get your money back?
Where the account institution can prove: -
- you contributed to the loss by acting fraudulently, or not
keeping your PIN or password secret;
- you unreasonably delayed before telling your account
institution that your card had been misused, lost or stolen or
that someone else might know your PIN or password.
©MNoonan2012
EFT Code cont.
What is the extent of my liability?
Where the account institution can show that the account holder acted
fraudulently or unreasonably denied advice, they will be responsible to
the extent of the daily transaction limit and the balance of the account.
When will liability be split between the account institution and the
customer?
If a PIN or password was needed to perform the unauthorised
transaction and it cannot be proven that the customer contributed to the
loss, the customer will only be responsible for the lowest of
- $150.00;
- the balance of the account; and
- the amount of money that had gone out of the account before the
account institution was informed.
©MNoonan2012
Notice to Commonwealth Bank Customers
- Access Methods Security Guidelines
Access methods (which include devices and codes) comprise the keys to
your account. You and any other user must take reasonable card to
ensure that access methods and any record of access methods are not
misused, lost or stolen.
These are Guidelines only. They summarise how you can maintain the
security of your access methods and help to avoid losses to you or us.
Your liability for any loss will be determined in accordance with the
Electronic Funds Transfer (EFT) Code of Conduct, the provisions of
which are reflected in the relevant Conditions of Use. For full details on
how to protect your access methods (which includes a card, PIN and
Password) please refer to your copy of the Electronic Banking Terms and
Conditions or Credit Cards Conditions of Use, as appropriate.
©MNoonan2012
Notice to Commonwealth Bank Customers
- Access Methods Security Guidelines cont.
Devices (for example, a card)
You must make sure that:
 devices (if they are cards) are signed immediately upon receipt;
 devices are kept secure and (if they are cards) carried by you
whenever possible;
 you regularly check that devices are still in your possession.
Codes (for example, a PIN or password)
Try to memorise your code as soon as you receive it. If you are unable to
memorise your code and need to make a record of it, please ensure you
have made a reasonable attempt to disguise your code in the record that is, scramble the details so that no one else is able to work out what
your code is. We are not liable to reimburse you if an unauthorised
transaction occurs on your account and you or any other user have not
made a reasonable attempt to disguise a code or to prevent unauthorised
©MNoonan2012
access to the code record.
Notice to Commonwealth Bank Customers
- Access Methods Security Guidelines cont.
For example, we will not consider that a reasonable attempt has been made
to disguise a code if you or any other user only:
 recorded the code in reverse order;
 recorded the code as a ‘phone’ number where no other ‘phone’ numbers
are recorded;
 recorded the code as a four digit number, prefixed by a telephone area
code;
 recorded the code as a series of numbers or words with any of them
marked, circled or in some way highlighted to indicate the code;
 recorded the code disguised as a date (e.g. 9/6/63) where no other dates
are recorded;
 recorded the code in an easily understood code, e.g. A=1, B=2; or
 self-selected a code which is an obvious word or number or one that can
be found in a purse or wallet or can be easily guessed by someone else
(such as a date of birth, middle name, family member’s name or driver’s
©MNoonan2012
licence number).
Notice to Commonwealth Bank Customers
- Access Methods Security Guidelines cont.
You or any other user must ensure that:
 a code or disguised record of a code is not recorded on an access method;
 devices and codes (including any record of codes) are not kept together such that
if a thief gets hold of the access method, he/she will also find the disguised code: for
example, in a briefcase, bag, wallet or purse (even if in different compartments), in a
car (even if in different areas of the car - in fact access methods should not be left in
a car at all), at home in the one item of furniture, (e.g. different drawers of the same
bedroom dresser) or in any other situation where an access method is not separate
and well apart from a code record;
 no one else is told or finds out your code - not even family or friends;
 transactions are ready to be made when you approach the electronic equipment,
such as an automatic teller machine;
 no one watches a code being entered. Check the location of mirrors, security
cameras or any other means of observing the code being enters, and then shield it
from sight;
 nothing (such as a device, transaction record or cash) is left behind when the
transaction is completed.
©MNoonan2012
Notice to Commonwealth Bank Customers
- Access Methods Security Guidelines cont.
What to do if your access method is misused, lost or stolen
You must tell us as soon as you become aware (even if you are confident
that the codes are secure) that the access method used by you or any user
is lost or stolen or you suspect that your (or any user’s) code has become
known to someone else because it may help us detect fraud and reduce the
need for us to conduct a lengthy enquiry because of extended misuse of the
account.
Otherwise, you will be liable for the unauthorised transactions that occur on
your account or any account linked to the card if it can be shown that you or
any user unreasonably delayed telling us of the access method or code
loss, theft or misuse.
You can tell us by calling 13 2221 at any time (24 hours a day, 7 days a
week) or visiting your nearest branch during business hours)
©MNoonan2012
Notice to Commonwealth Bank Customers
- Safeguarding Other Types of Payment
Instruments, such as Cheques and Passbooks
You must do everything you reasonably can to make sure that other
payment instruments such as cheques and passbooks are not misused or
lost or stolen. Not only must you take care to guard against theft, you
must always ensure that you draw cheques in a way that does not
facilitate fraud.
It is important that you tell us as soon as you become aware that a
payment instrument has been lost or stolen. You may be liable for the
unauthorised transactions that occur on your account if it can be shown
that you unreasonably delayed telling us of the loss, theft or misuse of the
payment instrument. If you have a cheque facility you should also check
your statements for unauthorised transactions and report them to the
Bank as soon as possible.
Even if you are confident that the payment instruments are secure, you
must tell us as soon as you become aware of the loss or theft of a
payment instrument or of any unauthorised access to your account(s).
©MNoonan2012
LIABILITY FOR UNAUTHORISED TRANSACTIONS
SECTION 5
Electronic Funds Transfer Code of Conduct
No liability for:
1. Losses caused by fraudulent, negligent conduct of employees or agents
of bank or networks or merchants
2. Losses relating to component of access method that are forged, faulty,
expired or cancelled
3. Losses that arise from transactions using device or code prior to issue
4. Double debits
5. Unauthorised transactions occurring after notification
6. Where it is clear that user has not contributed to the loss
Liable where:
 Where bank can prove on balance of probability that user contributed
to losses through their fraud, contravention of security guidelines
 Where bank can prove on balance of probability that user has
contributed to losses by unreasonably delaying notification
See 5.6 for security guidelines
©MNoonan2012
COMPLAINT INVESTIGATION / DISPUTE RESOLUTION
INTERNAL SCHEME EFT Code of Conduct s. 10
Internal Complaint handling procedures to comply with AS4269-1995 or other as
approved by ASIC
Customers to be advised of procedure in T&C
Decision to be based on all relevant established facts and not unsupported
inferences
Information to be obtained.
If equipment malfunction complained of, institution must investigate whether one
occurred.
Within 21 days, institution to complete investigation and advise user of outcome
with reasons or advise customer of need for more time.
Unless exceptional circumstances, investigation completed 45 days. If longer, must
inform customer of reasons, provide monthly updates, estimated decision date
Where customer liable, institution to make available copies of documents etc.
Where institution does not observe procedure external dispute resolution body may
make institution liable to compensate for effects of decision or delay
Records of complaints to be kept.
NOTE: 28% EFT complaints (30,375) April 99-March 2000 concerned
unauthorised transactions ATM and EFTPOS transactions. Majority resolved in
favour card issuer; most common reason being cardholder negligence with their
PIN.
©MNoonan2012
INTERNAL COMPLAINT PROCEDURE
INFORMATION TO BE OBTAINED FROM USERS
1. Account type, number, type of access method
used
2. Name and address of user
3. Other users authorised
4. Whether device signed
5. Whether device lost or stolen or security of codes breached Date
and time of loss, theft or security breach
 Time of report to account institution
 Time, date, method of reporting to police or other authority
6. Code details
 Was record of code made? How? Where kept Was record of
code lost or stolen? Date? Time? Code disclosed to anyone?
7. How loss occurred (e.g. housebreaking, stolen)
8. Where loss of device occurred e.g. office, home
9. Details of transaction to be investigated
 Description date time, amount Type and location of electronic
equipment used
10. Details of any circumstances surrounding the loss, theft, security
breach, or reporting or steps taken to ensure security of device
or codes which user considers relevant to their liability
11. Details of last valid transaction.
©MNoonan2012
External Dispute Resolution – Formerly via Banking and
Financial Services Ombudsman. Since 1 July 2008, via the
Financial Ombudsman service -merger of 3 financial
industry schemes
See www.fos.org.au
JURISDICTION
 The complaint must be about a specific “banking service”
(NOT commercial judgements, policies, fees, branch
closures) a bank has provided to complainant
 The person complaining must be able to say that the
banks action have directly caused them a financial loss.
 The amount of financial loss must be less than $280,000.
 The person complaining must be an individual and/or a
small business (15 full time employees or less, annual
turnover of $1m or less and independently owned and
managed). Some corporations-those which are also a
charity, trustee or statutory authority-excluded.
©MNoonan2012
Ombudsman
Information to supply when making a complaint
In a letter setting out particulars of the complaint,
name address and telephone number,
bank name,
name of contact person of bank and contact number,
account number, and
copies of documents if about a loan or cheque.
©MNoonan2012
Ombudsman
Procedure when handling a complaint
Ombudsman examines letter
Decides whether in a position to consider it
Allocates a case number
And perhaps an investigator (who liases with the bank)
Sends details to bank
After 30 days bank should have provided O with response. If it asks for
longer, has to explain
If complainant receives a recommendation, they may accept or reject. If
they reject, the O will not be able to assist further.If complainant
accepts and bank does too, case resolved.If complainant accepts but
bank does not, the O can issue an award which binds the bank.
When seeking to look at likely outcome of complaint, important to
consider terms of reference, guidelines and policies.
©MNoonan2012
Ombudsman Policies
- Bank Cheques
When considering a complaint about the stopping or dishonouring of
bank cheques, O has regard to the guidelines of ABA and Law Society of
NSW. Banks will only dishonour bank cheques in limited circumstances:
 Forged or counterfeit instruments
 Materially altered bank cheques
 Bank cheques reported lost or stolen
 A court order restraining payment
 Failure of consideration for issue of a bank cheque
NOTE a complaint by payee/holder falls outside terms of reference
because drawing bank did not provide a banking service to payee.
©MNoonan2012
Ombudsman Policies
- Cheques
Payment and collection of cheques
The Drawer receives a “banking service” from the paying bank
The Payee receives a “banking service” from the collecting bank
If the Drawer wishes to complain about the collecting bank, they would
not be able to do so to O even though the collecting bank has certain
statutory obligations under the Cheques Act, because collecting bank not
providing “banking service” to Drawer.
©MNoonan2012
Ombudsman Policies
- Third Party Cheques
A third party cheque is a cheque deposited for payment into
an account operated by someone other than the Payee.
In these circumstances, the collecting bank is providing a
“banking service” to the person who presents the cheque for
payment.
The O does not, however, have power to investigate a
complaint by the Payee or a person otherwise claiming to be
the true owner because the collecting bank did not provide a
“banking service” them.
©MNoonan2012
Ombudsman Policies
- Late Dishonours
Sometimes, banks advise a customer that a cheque has
been dishonoured outside 3 day clearing period but still
within clearance rules within banks.
Customers may not have been provided with clear
information about steps involved in cheque clearance.
May not be aware of notation on account permitting release
of uncleared funds or a commercial decision has been made
to permit them access to uncleared funds.
In these situations, O may consider whether bank actions
are misleading, deceptive.
©MNoonan2012
Ombudsman Policies
Mistake and change of position in good faith
O takes the view that where uncleared funds have been released to
customer because of human or system error, bank is entitled to recover the
money paid under mistake except where customer, in reliance on the
payment, changed their position in good faith.
Bank must establish it made a mistake of fact or law, it acted on the mistake
in releasing the funds and the recipient has been unjustly enriched.
Customer must establish they acted in good faith (actual belief in the
security of the receipt), they relied on the mistake and they changed their
position. A person can still be foolish, but honest.
Customer must act to their detriment on faith of receipt. Mere expenditure
not sufficient-must appear they would have acted differently had they not
mistakenly believed they were richer than they were.e.g. not enough to
simply spend the money on ordinary living expenses. Must be a genuine
change of condition. E.g. making a bad investment that would not otherwise
have been made, lending money to a third party that is irrecoverable, taking
overseas trip that would not otherwise have been taken.
©MNoonan2012
SAMPLE A BIO 2002
A Hasty Return
Mr and Mrs S went to Europe for their honeymoon. They intended to stay
for 1 month, but after 2 days, their credit card stopped working. They cut
short their holiday and returned to Australia.
They lodged a dispute with ABIO, claiming that the bank should
compensate them for their loss of enjoyment of their holiday.
When ABIO referred the dispute to the bank for its consideration, it offered
an ex-gratia payment of $3,000. Mr and Mrs S did not accept this offer, and
it was subsequently withdrawn by the bank.
Investigation
The information provided by the bank did not establish why the credit card
had stopped working. However, it was the case manager's view that as the
bank represents to customers that the particular type of card can be used
in most countries, the bank would be potentially liable for losses resulting
from the failure of the card to work.
©MNoonan2012
A Hasty Return Cont.
The case manager then investigated whether, according to the
Ombudsman's guidelines for assessing non-financial loss, Mr and Mrs S
were entitled to any compensation from the bank.
The case manager noted that:
 Mr and Mrs S did not contact the bank to try to rectify the problem with
the credit card; and
 Whilst the credit card did not work, they could still have accessed
alternative funds by using Mr S's Keycard. This would have allowed them
to make EFTPOS purchases and ATM withdrawals of up to $A800 per day,
which appeared to be more than adequate for their travelling needs.
Resolution
The case manager concluded that Mr and Mrs S acted with extreme haste.
As they had not given the bank an opportunity to resolve the matter, and
did not take any reasonable steps to minimise the inconvenience they
were suffering, the case manager found that it was not reasonable for Mr
and Mrs S to expect to be compensated by the bank.
©MNoonan2012
SAMPLE A BIO 2002
Disputed ATM Withdrawals
Mr B and Ms C disputed a large number of ATM withdrawals, totalling
$27,000, made from their line-of-credit account over a three-year period
with their debit cards. They acknowledged receiving monthly
statements, but said they were only concerned with the closing balance.
They only made a detailed check when they noticed that the home loan
was not reducing as quickly as expected. They provided a detailed list
of disputed transactions, but conceded that some of the withdrawals
would have been their own. They claimed that access to their account
could have been gained internally by the bank, or via a hacker on the
internet.
The bank declined to make any refund. It said it was not clear why some
transactions were disputed and others were not. It also noted that Mr B
and Ms C had not disputed any transactions on their credit card
account, yet on some days, valid credit card purchases occurred in the
same suburb as disputed debit card withdrawals.
©MNoonan2012
Disputed ATM Withdrawals cont.
Facts that came up during the investigation included that: both debit cards
were used, but most of the disputed withdrawals were made with Mr B's
card; both cards had bank-generated PINs; on two occasions it seemed
that disputed ATM withdrawals had been used to make payments to the
credit card account; on one occasion a disputed withdrawal was followed
by a valid withdrawal only one minute later; and on at least one occasion
there was a disputed cash withdrawal using a debit card on the same day
that one of the disputants used a credit card to purchase goods in the
same shopping centre.
The case manager found nothing to support the contention that access
was gained internally by the bank or via an internet hacker. There was also
no information to support a possibility that an unauthorised third party had
gained access to the cards and PINs. On the weight of information, the
case manager concluded that the most probable explanation for the
disputed transactions was that they had been made by the disputants
©MNoonan2012
themselves. The bank was not asked to compensate the disputants.
Merchant EFTPOS Facility
Disputant partnership selling giftware. 1 partner in business since inception. 1
bought share from partner who retired. All documentation signed by retired partner.
A customer frequently telephoned over 5 weeks to order gift hampers. To process,
disputants keyed customer card number into EFTPOS terminal. Did not swipe card
or obtain signature, nor did customer ever come into shop. By keying “off Line”,
disputants by-passed electronic system which prevented transactions over $100
limit if cardholder’s account did not have sufficient funds.
Bank attempted to levy chargebacks because transactions not authorised.
Case manager reviewed merchant agreement. Bank entitled to charge back
transactions if not valid or not processed in accordance with relevant procedures.
Found that disputants had contravened procedures by processing “off line” at a
time when electronic system functioning, failing to seek authorisation and failing to
take reasonable care to detect unauthorised use of the card…given the size,
frequency and nature of transactions.
Disputants argued they were not bound because neither had signed. However,
after review of partnership agreements and partnership legislation, found original
partner bound continuing partner and new partner had assumed equal liability.
Finding was that bank could rely on merchant agreement and charge back all of
the transactions.
©MNoonan2012
Unauthorised Withdrawals
Finding 6 on 2 August 2005
X had line of credit facility, with card access. Had never used
the card in 10 years. Stored it with PIN in a drawer. Stolen
24 November, 2004. Unauthorised withdrawals on 24/11$2,800 and 25/11-$3,000.
Bank debited him for the lot. Reasons: he failed to protect
PIN, failed to notify immediately, daily limit correct. He
complained to O.
Investigator found he failed to protect PIN with reasonable
methods to prevent unauthorised access, AAPT records
showed he rang bank 24/11 and spoke for 8 minutes-did
notify bank, limit correct-See EFT Code 5. Liable for
$2,800 (amount taken before notification) but not $3,000
(after notification).
©MNoonan2012
Limits where compensation sought
Ombudsman does not award punitive damages or
compensation for time spent on the complaint
An illustration of this was where Y sold investment property
with settlement planned for 22 Nov. On 11 Nov, his bank
informed him that they had lost the deeds. There followed
several anxious days of calls and complaints, an
application for a new CT, before the old one was found and
settlement effected on 22 Nov as planned. Y claimed his
expenses and $15,000 punitive damages for all the stress.
The bank offered $300 in compensation. The O policy was
that a person must be moderately robust in the way they
deal with unexpected problems. O does not award punitive
damages and does not award compensation for time spent
pursuing a complaint.
©MNoonan2012
Exam Questions
March 2008 QB3
 David is a postman who steals a few envelopes
containing cheque books during the year. He signs and
cashes one or two cheques, then discards the books.
Who bears the loss of this fraud?

Summarise the requirements of clause 10 of the
EFT Code of Conduct relating to internal complaint
investigation and resolution procedures.

Describe 3 ways in which electronic commerce can
create new legal dilemmas.
©MNoonan2012
Exam Questions-March 2007
Is it , or is it not, a reasonable attempt at “disguise” for
the purposes of the EFT Code of Conduct to put your
PIN giving access to your bank account in your
electronic organiser protected by a code? Explain
why or why not.
 If a family member forges your signature on
cheques drawn on your account to pay for a
shopping spree, can you stop the bank from
debiting your account? Explain why or why not.

©MNoonan2012
Exam Questions-indirect
As well as by direct questions, knowledge of this
module can be examined indirectly.
Questions dealing with other topics can involve use
of electronic commerce…e.g.for transactions,
banking, payment, formation of contract emails,
advertisements or conduct leading to formation
of agreements or action by one party.
©MNoonan2012