15 January 2019

Building Regulation

Claddings that help your multi-storey building to go up like a roman candle? The Senate Economics Committee report on Non-conforming building products: the need for a coherent and robust regulatory regime last month comments
Confidence in the materials we use to build our domestic, commercial and public buildings is of paramount importance to all. Australians have a right to feel secure and safe in their built environment. As such, safety has always been a key motivator in the design and implementation of modern building regulations and construction codes. Often it is impossible for consumers and end users of building products to know whether a product is fit-for-purpose; trust is placed in those with the appropriate technical knowledge to ensure Australians are protected when they purchase or use building products, or that the appropriate product has been used in the place where they may work or live. 
Recent failures, such as the importation of asbestos-containing building products and the 2014 Lacrosse apartment building fire in Melbourne's Docklands, have highlighted the need for continued vigilance of building materials used in Australia. This is to ensure that building products and building practices in general, conform with the relevant building regulations and standards to guarantee public safety, along with building integrity and investment confidence in Australian building and construction. 
Non-conforming building products in Australia 
This inquiry into non-conforming building products in Australia was brought about following a number of industry-led forums that highlighted the growing body of evidence of the use of non-conforming building materials in the Australian construction industry. The inquiry has examined a range of issues surrounding the production, sourcing and use of non-conforming and non-compliant building products. 
A non-conforming product or material is one that claims to be something it is not, and does not meet the required Australian standard for the material—for example, the use of inferior grade material, or a product that contains illegal materials such as asbestos. A non-compliant building product is, one that has been used in a situation where its use does not comply with the requirements for such a material under the National Construction Code (NCC). 
As the inquiry's terms of reference detail, significant issues were raised by stakeholders regarding the impact of non-conforming products in industry supply chains (including the importers of products and the manufacturers and fabricators of products), workplace safety and the variety of risks and costs that could be passed on to Australian customers. Alongside these issues, the committee took evidence relating to the use of non-compliant building materials. The inquiry also considered and examined the effectiveness of the current Australian building regulatory frameworks that are designed to ensure that building products conform to, and have been used or installed in compliance with, the relevant Australian Standards. 
Inquiry's interim reports 
Through the course of the inquiry, the committee has tabled three interim reports in relation to the issues raised by submitters and at public hearings as outlined in Chapter 1. 
The interim reports were:
Interim report: Safety—'not a matter of good luck'—4 May 2016; 
Interim report: aluminium composite cladding—6 September 2017 [noted here]; and 
Interim report: protecting Australians from the threat of asbestos— 22 November 2017. 
The first interim report, in May 2016, raised a range of concerns; including, the illegal importation of building products containing asbestos; the 2014 Lacrosse apartment fire in Melbourne and the use of non-compliant aluminium composite cladding; and the national recall of Infinity electric cable. The committee found that there had been a serious breakdown in the regulation and oversight of both non-conforming and non-compliant building products. In particular, the committee highlighted the weakness in the regulatory regime, including the certification process and the disjointed regulation of the use of building products, both manufactured in Australia and overseas. Based on the findings in the first interim report, the committee made one recommendation which was to continue the inquiry. 
In September 2017, the committee tabled its second interim report—Interim report: aluminium composite cladding. This report focused on the issues raised around the use of polyethylene (PE) core Aluminium Composite Panels (ACPs) that had significantly contributed to the Lacrosse fire in Melbourne in 2014 and the tragic Grenfell Tower fire in London in 2017. The report found that deregulation and privatisation of building certification processes and the absence of proper regulatory controls, coupled with the increase in ACP product importation, led to the proliferation and installation of non-compliant building products. Importantly, the report was also critical of the lack of any timely government response to the Lacrosse fire, as well as any meaningful resolution between governments, the Building Ministers' Forum, and the Senior Officers' Group on possible steps forward in dealing with the proliferation of ACP panels. The committee's report put forward eight recommendations to address the importation and use of ACP panels and strengthen the regulatory system including recommending banning the importation of ACP panels and a national licencing scheme for all trades and professionals (See Appendix 3 for list of recommendations). 
In November 2017, the committee tabled its third interim report titled, Interim report: protecting Australians from the threat of asbestos. Like its predecessor, this report concentrated on one topic, the illegal importation of asbestos. This report made 26 recommendations addressing how best to combat the intentional and unintentional importation of asbestos in building and other materials, including complete machinery (See Appendix 4 for list of recommendations). 
Final inquiry report 
This final report outlines many of the common issues across the prior three reports. It also supports the compliance concerns raised in the Building Ministers' Forum report, Building Confidence—Improving the effectiveness of compliance and enforcement systems for the building and construction industry across Australia, prepared by Professor Peter Shergold and Ms Bronwyn Weir, and draws attention to the progress being made in dealing with non-conforming products in some jurisdictions. Specifically, the committee was encouraged by the proactive work undertaken by the Queensland Government in their new legislation designed to strengthen the chain of responsibility for the importation and distribution of building materials. As such, Recommendation 6 of this report suggests that other jurisdictions also move to implement similar legislation to ensure responsibility and accountability is spread more evenly across supply chains. 
Recommendation 6 
The committee recommends that the Building Ministers' Forum give further consideration to introduce a nationally consistent approach that increases accountability for participants across the supply chain. Specifically, the committee recommends that other states and territories pass legislation similar to Queensland's Building and Construction Legislation (Non-conforming Building Products—Chain of Responsibility and Other Matters) Amendment Act 2017. 
Where to next? 
By and large, many of the 13 recommendations of this final report echo those recommendations put forward in the previous interim reports. The committee is cognisant that the Building Ministers' Forum is already moving on some of these issues as highlighted by the Shergold and Weir report. Nevertheless, the committee would encourage both the government and the Building Ministers' Forum to increase the level of momentum in implementing these recommendations and, moreover, those recommendations that have been raised previously. These include, expediting mandatory third party certification for high risk products, including a national register of non-compliant products if feasible, and the introduction of a national licencing scheme. A simple change that the committee put forward previously, and one which it strongly believes would assist stakeholders, is to consider making all Australian Standards freely available. All forms of legal requirements should be freely available, where feasible, so that stakeholders can inform themselves adequately of their obligations under the relevant law.
The Committee goes on to state
The recommendations contained in this report are aimed at strengthening accountability and compliance and providing greater information to stakeholders, in turn, allowing stakeholders to make informed choices and ensuring the development of a coherent and robust regulatory regime for building materials in Australia. The committee believes that the areas that would benefit from urgent action by the Building Ministers' Forum include the following recommendations: 1, 3, 5, 6 and 10. 
Recommendation 1  
The committee recommends that the Building Ministers' Forum develop improved consultative mechanisms with industry stakeholders. In addition, the Building Ministers' Forum should amend the terms of reference for the Senior Officers' Group and the Building Regulators Forum to include annual reporting requirements on progress to address non-conforming building products. 
Recommendation 3 
The committee calls on the Building Ministers' Forum to expedite its consideration of a mandatory third-party certification scheme for high-risk building products and a national register for these products. 
Recommendation 5 
The committee recommends that the Building Ministers' Forum, through the Senior Officers' Group, examine international approaches—including the European Union's regulations and processes—for testing of high-risk products prior to import and determine if they can be suitably adapted to benefit and enhance Australian requirements. 
Recommendation 10 
The committee gives in-principle support to Recommendation 12 of the Shergold and Weir Report '[t]hat each jurisdiction establishes a building information database that provides a centralised source of building design and construction documentation' so regulators are better placed to identify where non-compliant building products have been installed. 
The committee has also identified a range of specific recommendations (numbers: 2, 4, 7, 8, 9, 11, 12, and 13) that it believes are best placed for government to progress and, as indicated earlier, a number of these have been proposed in earlier interim reports. 
Recommendation 2 
The committee recommends that the Australian Government develop a confidential reporting mechanism through which industry and other stakeholders can report non-conforming building products. 
Recommendation 4 
The committee recommends that where an importer intends to import goods that have been deemed high-risk, the Australian Government require the importer, prior to the importation of the goods, to conduct sampling and testing by a NATA accredited authority (or a NATA equivalent testing authority in a another country that is a signatory to a Mutual Recognition Arrangement). 
Recommendation 7 
The committee recommends that the Australian Government work with state and territory governments to establish a national licensing scheme, with requirements for continued professional development for all building practitioners. 
Recommendation 8  
The committee strongly recommends that the Australian Government consider making all Australian Standards freely available. 
Recommendation 9 
The committee recommends that the Australian Government consult with industry stakeholders to determine the feasibility of developing a national database of conforming and non-conforming products. 
Recommendation 11 
The committee recommends the Australian Government consider imposing a penalties regime for non-compliance with the National Construction Code such as revocation of accreditation or a ban from tendering for Commonwealth funded construction work and substantial financial penalties. 
Recommendation 12 
The committee recommends that the Australian Government consider the merits of requiring manufacturers, importers and suppliers to hold mandatory recall insurance for high-risk building products. 
Recommendation 13 
The committee recommends that the Australian Government review the Customs Act 1901 (and other relevant legislation) to address the challenges of enforcing the existing importation of asbestos offence, with the aim to close loopholes and improve the capacity of prosecutors to obtain convictions against entities and individuals importing asbestos. This review should include consideration of increasing the threshold required to use 'mistake of fact' as a legal defence. The committee strongly advocates that the Australian Government and Building Ministers' Forum move quickly to adopt and implement these recommendations to provide greater confidence in building products and to protect all Australians.

13 January 2019


We might infer from an item in ITnews that supervision of Qld Police personnel is working (computer offences are being identified) but the thin blue line hasn't quite got the message.

In December ITnews reported
information released under Queensland’s right to information laws ... revealed that Queensland police took no disciplinary action against 52 of the 59 officers it investigated for computer hacking between August 2016 and September 2017.
Moving on to January, and perhaps in response to that revelation, ITnews states 'Yet another Qld cop charged with hacking: One of four to face charges since December'.

A senior constable has been charged with 'Computer Hacking and Misuse' offences (carrying a a maximum penalty of 10 years imprisonment) for unauthorised access to Qld Police's information systems. He is the state’s fourth police officer to face charges of computer hacking since the start of last month.

Queensland Police states
In keeping with our commitment to high standards of behaviour, transparency and accountability, we have undertaken to inform the public when an officer faces serious allegations of misconduct. 
This does not mean the allegations against the officer have been substantiated.
A 36-year-old undercover officer from the Brisbane region, was stood down  in early December following an internal investigation. A 52-year-old senior constable from Road Policing Command, was subsequently issued with a notice to appear for nine counts of computer hacking after being investigated for conducting unauthorised searches of QPS information systems. A 37-year-old constable from Central Region was then suspended in December after being served a notice to appear for 31 charges of computer hacking.

Misbehaving Robots

The 108 page 'Remedies for Robots' (Stanford Law and Economics Olin Working Paper No. 523) by Mark A. Lemley and Bryan Casey asks
What happens when artificially intelligent robots misbehave? The question is not just hypothetical. As robotics and artificial intelligence (AI) systems increasingly integrate into our society, they will do bad things. They have already killed people. These new technologies present a number of interesting substantive law questions, from predictability, to transparency, to liability for high stakes decision making in complex computational systems. Our focus here is different. We seek to explore what remedies the law can and should provide once a robot has caused harm. 
The authors state
 Where substantive law defines who wins legal disputes, remedies law asks, “What do I get when I win?” Remedies are sometimes designed to make plaintiffs whole by restoring them to the condition they would have been in “but for” the wrong. But they can also contain elements of moral judgment, punishment, and deterrence. For instance, the law will often act to deprive a defendant of its gains even if the result is a windfall to the plaintiff, because we think it is unfair to let defendants keep those gains. In other instances, the law may order defendants to do (or stop doing) something unlawful or harmful. 
Each of these goals of remedies law, however, runs into difficulties when the bad actor in question is neither a person nor a corporation but a robot. We might order a robot—or, more realistically, the designer or owner of the robot—to pay for the damages it causes. (Though, as we will see, even that presents some surprisingly thorny problems.) But it turns out to be much harder for a judge to “order” a robot, rather than a human, to engage in or refrain from certain conduct . Robots can’t directly obey court orders not written in computer code. And bridging the translation gap between natural language and code is often harder than we might expect. This is particularly true of modern AI techniques that empower machines to learn and modify their decision making over time. If we don’t know how the robot “thinks,” we won’t know how to tell it to behave in a way likely to cause it to do what we actually want it to do. 
Moreover, if the ultimate goal of a legal remedy is to encourage good behavior or discourage bad behavior, punishing owners or designers for the behavior of their robots may not always make sense—if only for the simple reason that their owners didn’t act wrongfully in any meaningful way. The same problem affects injunctive relief. Courts are used to ordering people and companies to do (or stop doing) certain things, with a penalty of contempt of court for noncompliance. But ordering a robot to abstain from certain behavior won’t be trivial in many cases. And ordering it to take affirmative acts may prove even more problematic. 
In this paper, we begin to think about how we might design a system of remedies for robots. It may, for example, make sense to focus less of our doctrinal attention on moral guilt and more of it on no-fault liability systems (or at least ones that define fault differently) to compensate plaintiffs. But addressing payments for injury solves only part of the problem. Often we want to compel defendants to do (or not do) something in order to prevent injury. Injunctions, punitive damages, and even remedies like disgorgement are all aimed, directly or indirectly, at modifying or deterring behavior. But deterring robot misbehavior too is going to look very different than deterring humans. Our existing doctrines often take advantage of “irrational” human behavior like cognitive biases and risk aversion. Courts, for instance, can rely on the fact that most of us don’t want to go to jail, so we tend to avoid conduct that might lead to that result. But robots will be deterred only to the extent that their algorithms are modified to include sanctions as part of the risk-reward calculus. These limitations may even require us to institute a “robot death penalty” as a sort of specific deterrence against certain bad behaviors. Today, speculation of this sort may sound far-fetched. But the field already includes examples of misbehaving robots being taken offline permanently—a trend which only appears likely to increase in the years ahead. 
Finally, remedies law also has an expressive component that will be complicated by robots. We sometimes grant punitive damages—or disgorge ill-gotten gains—to show our displeasure with you. If our goal is just to feel better about ourselves, perhaps we might also punish robots simply for the sake of punishing them. But if our goal is to send a slightly more nuanced signal than that through the threat of punishment, robots will require us to rethink many of our current doctrines. It also offers important insights into the law of remedies we already apply to people and corporations.

12 January 2019

Another fake doctor

Another bogus health practitioner, this time in the US, with reports that Oluwafemi Charles Igberase practiced as Dr. Charles Akoda before detection and conviction on a federal fraud charge, for which he served six months in prison. Over 200 former patients have now  joined a class-action against Dimensions Health Corporation, operator of the hospital where they were treated by Igberase posing as an obstetrician and gynaecologist. The litigants claims that the hospital was negligent in hiring and vetting 'Dr Akoda', with patient suffering “humiliation, shame, mortification and other injuries” under his care.

Readers may recall Australian fake practitioner instances, such as Raffaele Di Paolo, Sharobeem and Acharya (discussed in a recent Health Law Bulletin article by myself and Dr Wendy Bonython).

The US litigants claim that Igberase conducted unplanned emergency caesarean section surgeries that were “not medically necessary”, invaded their privacy and that given patients did not know his real identity they were incapable of providing authorisation or consent for medical procedures. The pleading in Russell et al. v. Dimensions Health Corp. (case number 8:17-cv-03106, in the U.S. District Court of Maryland) centres on the claim that over four years Igberase saw at least 1,000 patients and performed at least 500 caesareans. The plaintiffs allegedly suffered physical pain, emotional anguish, fear, anxiety, embarrassment, other emotional injures, intentional infliction of emotional distress, battery and negligent entrustment, and as a result of Dimension's alleged violations of the standards of care. That is reflected in reference to negligent and grossly negligent hiring, retention, supervision, selection, qualification and credentialing.

The plaintiffs argue that Dimensions as the entity responsible for patient safety should have been able to identify and quickly address any misconduct among its doctors, being negligent in vettingIgberase and letting him practice.
 Dimensions breached its common law duties and the applicable standards of medical practice on an ongoing basis by negligently failing to investigate, credential, qualify, select, monitor and supervise its medical personnel and to discover, stop and report Oluwafemi Charles Igberase, ... 
On information and belief, Oluwafemi Charles Igberase recommended and performed a statistically significant number of unplanned emergency cesarean section surgeries. Many of the unplanned emergency cesarean sections were not medically necessary.
The plaintiffs also argue that in March 2012 the federal government denied Igberase's application to enroll in Medicare reimbursement after determining he did o't provide an accurate Social Security number. Dimensions should have terminated Igberase  before that time, rather than  shortly after the commencement of criminal proceedings:  "In 2012, Dimensions knew or should have known that the Social Security number provided to Dimensions by Igberase belonged to another person".

US court documents reportedly list 11 pseudonyms used by Igberase, who appears to have been born in Nigeria and entered the US in 1991 on a nonimmigrant visa. It is unclear whether he actually attended and graduated from a medical school before entry to the US. During the following six years, he apparently fraudulently gained at least four Social Security numbers using different names and different permanent addresses, using those fraudulent identities in seeking certifications from the US Educational Commission for Foreign Medical Graduates, which licenses overseas medical school graduates before they can pursue graduate medical education in the United States. (Certification includes examinations; applicants are not allowed to take the exams multiple times.)

Igberase failed the exams on several occasions but in 1993 and 1994 gained certification under different names. Two certifications were revoked after authorities noticed he had used different names and dates in his applications. However in 1998 he gained a separate certification, which he used for a hospital residency program in New Jersey. Officials subsequently suspended him after realising he had used a false Social Security number and birth date.

Using fake ID he then gained a residency in gynaecology and obstetrics at Howard University in Washington, completing his residency at Prince George’s Hospital Center and gaining a medical license from the Maryland Board of Physicians in September 2011.

In practice over several years - relying on a medical license not in his legal name - Igberase performed physical examinations, made formal diagnoses, read sonograms, made birth plans and performed caesareans. The hospital appears to have responded by stating that Igberase's conduct failed to meet its expectations regarding "sound moral character" but that his credentials and experience appeared valid, with "Several highly reliable agencies [having] validated his credentials including the states in which he held medical licenses". The hospital is "exploring many aspects of this case, researching records, and evaluating processes and procedures upon which we rely to validate information".

 The court in the 2016 federal fraud trial found that Igberase had forged or altered his medical diploma, medical transcripts and letters of recommendation in addition to use of a fake passport, visa, birth certificate and immigration documents. The Justice Department's November 2016 media release thus states
A search warrant executed at Igberase’s residence recovered a false social security card in the Akoda name, a false Nigerian passport for Akoda, a false U.S. visa in the Akoda name, and fraudulent or altered documents related to immigration, medical diplomas, medical transcripts, letters of recommendation and birth certificates.
In its 2017 motion to dismiss the class action Dimensions argued the hospital owed the plaintiffs no legal duty to ensure Igberase  was not using an assumed name or fake Social Security number. Moreover, the plaintiffs had failed to show that a reasonable vetting would have provide the basis for rejecting his employment application. Any emotional harm allegedly experienced by the plaintiffs were not caused by learning Igberase  had used a fake name. His actions did not put patient safety at risk.
Whether Dr. Akoda practiced under his 'real' name of Igberase or whether he used a Social Security number that did or did not belong to him has nothing at all to do with patient safety ... [Use of false identifiers does not] transform routine prenatal, labor and delivery care into an invasion of the patient's privacy. 
As Shakespeare wrote over 400 years ago, 'What's in a name? That which we call a rose by any other word would smell as sweet.' Whether the patients knew him as 'Akoda' or 'Igberase,' both names denote the exact same person, and that person was a licensed physician, who was experienced and competent in the practice of obstetrics and gynecology.
The privacy claim states that Igberase
iintruded upon the solitude, seclusion or private affairs and concerns of named plaintiffs and class members by viewing private areas of each patient's body performing medical procedures on each patient, inserting his extremities inside each patient, performing surgical procedures on patients and other boundary violations all without authorization or consent.

11 January 2019


'Online Manipulation: Hidden Influences in a Digital World' by Daniel Susser, Beate Roessler and Helen Nissenbaum comments
 Privacy and surveillance scholars increasingly worry that data collectors can use the information they gather about our behaviors, preferences, interests, incomes, and so on to manipulate us. Yet what it means, exactly, to manipulate someone, and how we might systematically distinguish cases of manipulation from other forms of influence — such as persuasion and coercion — has not been thoroughly enough explored in light of the unprecedented capacities that information technologies and digital media enable. In this paper, we develop a definition of manipulation that addresses these enhanced capacities, investigate how information technologies facilitate manipulative practices, and describe the harms — to individuals and to social institutions — that flow from such practices. 
We use the term “online manipulation” to highlight the particular class of manipulative practices enabled by a broad range of information technologies. We argue that at its core, manipulation is hidden influence — the covert subversion of another person’s decision-making power. We argue that information technology, for a number of reasons, makes engaging in manipulative practices significantly easier, and it makes the effects of such practices potentially more deeply debilitating. And we argue that by subverting another person’s decision-making power, manipulation undermines his or her autonomy. Given that respect for individual autonomy is a bedrock principle of liberal democracy, the threat of online manipulation is a cause for grave concern.

The Complementary Medicine Taskforce: A Homeopathic Consultation?

Homeopathic products purport to cure a range of general of specific ills through pills, potions, linaments and other 'medications' in which the claimed active ingredient is undetectable. The Commonwealth appears to have adopted a homeopathy model for consultation about labelling of complementary medicine products: consultation is being done quickly, privately, without public engagement with consumers or independent health experts and potentially without much benefit for consumers.

Last month the national Minister for Industry, Science and Technology, Karen Andrews, announced the Complementary Medicine Taskforce: a review of "the impact of recent consumer law changes on the complementary healthcare sector".

The announcement is pitched as helping to meet consumer demand for more information on where products are made, after changes to the Australian Consumer Law and Country of Origin Labelling requirements last year.

After controversy last year about adulteration and labelling of products such as honey ('Australian' honey apparently doesn't have to have much material from Australian bees and indeed not to have much honey as distinct from beet/cane syrup) and fish oil you might expect that the review is concerned with looking after consumers. Apparently not; it's concerned with exports (typically by overseas-owned groups).

The announcement states
 "The Morrison Government is committed to helping local industry tap into our export markets, and ensuring our business community has opportunities to sell more products overseas," Minister Andrews said. 
"We’re helping Australian businesses sell more of their high-quality products and services to overseas consumers, helping these businesses expand and employ more staff, driving economic growth." 
"The Morrison Government has heard the strong industry representations on this issue, and this Taskforce will assist our manufacturers by enabling further consideration and assessment of industry concerns." 
The law change has led to some complementary healthcare producers no longer being able to claim their product is made in Australia or carry the Australian Made, Australian Grown logo. This logo is widely recognised in export markets and promotes Australian high-quality products. 
Minister Andrews said it’s important for all industry stakeholders and consumer groups to understand "Made in Australia" and use of the logo. 
"The Taskforce will examine the impact of changes to Country of Origin Labelling laws on manufacturers of vitamins, minerals and supplements and their origin claims," Minister Andrews said. 
"The complementary healthcare sector in particular is an important and growing contributor to our economic prosperity. The industry employs around 29,000 people and estimates show that exports currently exceed $1.2 billion. "We are proud of the quality of Australian made products and want to ensure the regulatory environment facilitates these products being exported into global markets."
The industry is of course also a major donor to political parties and affiliates.

The announcement states that the taskforce is expected to report to government in early 2019.

The review's Terms of Reference apparently have not been released publicly.

They appear to be as follows, noting rebadging of the review as the "Complementary Healthcare Sector Country of Origin Labelling (CoOL) Taskforce
1. Background 
The purpose of the Complementary Healthcare Sector Country of Origin Labelling (CoOL) Taskforce (the Taskforce) is to examine concerns raised by the Complementary Healthcare Sector (the Sector) about changes to the use of the ‘Australian Made, Australian Grown’ (AMAG) logo, and investigate options that may address these concerns while maintaining consumer confidence in the authenticity of ‘Made in Australia’ claims. 
The Sector reports that a rapid increase in international sales of vitamins, minerals and supplements has led to greater domestic investment and job creation. The Sector has identified that claiming Australian origin and using the AMAG logo is a key marketing advantage when selling into both domestic and export markets. 
The overall sector revenue is reported by industry as $4.9 billion in 2017 across 82 Australian-based manufacturers. Industry representatives say that if a significant reduction in sales occurs in export markets, impacts could include reduced employment and growth in the sector. 
The AMAG logo is licensed to industry by Australian Made Campaign Limited (AMCL) in accordance with the Deed of Assignment between the Commonwealth of Australia and AMCL and the AMAG Logo Code of Practice (certified trade mark rules). The AMAG logo can only be licensed for products that are consistent with Australian Consumer Law (ACL) safe harbour defences. 
The February 2017 changes to the substantial transformation test under the ACL, meant for claims of ‘Made in Australia’ to qualify for the relevant ACL safe harbour defences, a new product with imported ingredients needs to be fundamentally different in identity, nature or essential character from the imported ingredients. 
The Australian Competition and Consumer Commission’s (ACCC) guide to the Sector in March 2018 outlined a number of production scenarios that the ACCC considers likely to either meet or not meet safe harbour defences. The Sector is concerned that many of its products will not meet the ACCC’s interpretation of substantial transformation and therefore will not be allowed to use the AMAG logo. 
2. Purpose 
The Taskforce will consider and assess reported impacts on the Sector of the changes to the substantial transformation test under the ACL. Both industry and consumer interests will be considered in this process. 
3. Scope 
The Taskforce shall:
1. Assess how the current CoOL policy framework, including ACCC guidance regarding the substantial transformation test, interacts with the complementary healthcare sector. This shall include reporting on industry concerns about how this policy and guidance may be impacting upon business decisions within both the Sector, and AMCL in licensing use of the AMAG logo. 
2. Assess the commercial impacts of the current substantial transformation test under the ACL on the complementary healthcare sector regarding products generally referred to as vitamins, minerals and supplements. 
3. Assess Australian consumer expectations relating to suggested changes by the Sector regarding rules governing the use of the AMAG logo. This will include consideration of impacts on consumer choices in purchasing products, and the need to protect and ensure the integrity of Australian made claims and the AMAG logo. 
4. Give consideration to broader market or industry impacts regarding CoOL and AMAG logo use beyond the complementary healthcare sector. 
5. Identify appropriate next steps for responding to the Sector’s concerns 
4. Membership 
The Taskforce will comprise representatives from the:
1. Department of Industry, Innovation and Science; 
2. Department of the Prime Minister and Cabinet; 
3. Treasury; 
4. Department of Foreign Affairs and Trade/ AusTrade; 
5. Department of Agriculture and Water Resources; 
6. Therapeutic Goods Administration; 
7. Department of Health; and 
8. Australian Competition and Consumer Commission. 
In conducting its activities the Taskforce will consult with:
- Relevant State Government agencies; 
- Complementary Medicines Australia; 
- manufacturers within the complementary healthcare sector; 
- other industry stakeholders with an interest in ‘Made in Australia’ claims 
- consumer organisations; 
- Australia Made Campaign Ltd; and 
- other agencies and/or stakeholders as required. 
5. Operations 
The Taskforce:
1. Will meet as required. If required, members can ask the chair to hold additional meetings, providing at least two weeks’ notice is given. 
2. Will meet via teleconference with the option to meet in person if appropriate. Members may (on agreement with the Chair) undertake work out-of-session to inform and support the deliberations of the Taskforce. 
The Department of Industry will provide the Chair and Secretariat for the Taskforce. 
Members will contribute professional knowledge and expertise to discussions of the Taskforce. 
Members may be requested to contribute data to establish an evidence base for the Taskforce to consider options. 
Some sales, employment or marketing data (or other commercial information) relevant to Taskforce deliberations may be commercial-in-confidence. The Taskforce will seek advice as appropriate to manage the confidentiality of data provided to the group. 
The Taskforce may draw upon the expertise of non-members to inform the discussions of the group on an ad-hoc basis. The Chair will consider and approve such requests. The Chair will consider for approval requests for the attendance of non-members (outside of the Secretariat) at Taskforce meetings. 
6. Deliverables 
The Taskforce shall provide Government with a report addressing each of the issues identified for examination within scope for the Taskforce. The Taskforce will provide advice to Government by the end February 2019. 
7. Review and reporting 
Members of the Taskforce will have scope to review and comment on the final report. The final report will be delivered to the Minister for the Department of Industry, Innovation and Science and the Assistant Treasurer.
What we have here is a review with no commitment to releasing a report on a timely basis, bearing in mind the Government's recalcitrance in the face of releasing the report of the review of pharmaceuticals a few years ago. We might hope that Government's stated commitment to 'Open Government' is given effect through early release of the report and details of the concerns voiced by the sector

It is a review that is weighted towards industry; consumer advocates and other health advocates appear as an afterthought, particularly given
  • the limited publicity about the review 
  • non-release of the Terms of Reference 
  • non-release of indications of how advocates can engage with the review). 
We might be asking a more challenging question: should governments be encouraging domestic and overseas consumption of products that are often expensive, therapeutically unnecessary but replete with the puffery that delights consumer law scholars and attracts attention from the ACCC. Some examples are here,  here and here.

Among the literature see  'Commercialism, choice and consumer protection: regulation of complementary medicines in Australia' by Harvey, Korczak, Marron and Newgreen in (2008) 188(1) Medical Journal of Australia 21-25, Vitamania: Vitamins in American Culture (New Jersey: Rutgers University Press 1996) by Rima Apple, 'Dietary Supplements: Can the Law Control the Hype' by Iona Kaiser in (2000) 37 Houston Law Review 1249-1277, 'The effectiveness of popular, non-prescription weight loss supplements' by Egger, Cameron-Smith and Stanton in (1999) 171(11) Medical Journal of Australia 604-608 and 'Truth and Consequences: The Perils of Half-Truths and Unsubstantiated Health Claims for Dietary Supplements' by Vladeck in (2000) 19(1) Journal of Public Policy & Marketing 132-138.

Singapore Population-scale Data Breach

The Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database considers the "events and contributing factors leading to the cyber attack on Singapore Health Services Private Limited patient database system". SingHealth experienced a population-scale health data breach in 2017 and last year.

The damning 454 page public report states 
Between 23 August 2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented scale and sophistication was carried out on the patient database of Singapore Health Services Private Limited (“SingHealth”). The database was illegally accessed and the personal particulars of almost 1.5 million patients, including their names, NRIC numbers, addresses, genders, races, and dates of birth, were exfiltrated over the period of 27 June 2018 to 4 July 2018. Around 159,000 of these 1.5 million patients also had their outpatient dispensed medication records exfiltrated. The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed. 
The crown jewels of the SingHealth network are the patient electronic medical records contained in the SingHealth Sunrise Clinical Manager (“SCM”) database. The SCM is an electronic medical records software solution, which allows healthcare staff to access real-time patient data. The SCM system can be seen as comprising front-end workstations, Citrix servers, and the SCM database. Users would access the SCM database via Citrix servers, which operate as an intermediary between front-end workstations and the SCM database. The Citrix servers played a critical role in the Cyber Attack. 
At the time of the Cyber Attack, SingHealth was the owner of the SCM system. Integrated Health Information Systems Private Limited (“IHiS”) was responsible for administering and operating the system, including implementing cybersecurity measures. IHiS was also responsible for security incident response and reporting. 
The Committee’s Terms of Reference (“TORs”) include (i) establishing the events and contributing factors leading to the Cyber Attack and the exfiltration of patient data (“TOR #1”), and (ii) establishing how IHiS and SingHealth responded to the Cyber Attack (“TOR #2”). The Committee’s findings on these TORs are set out in Parts III-VI of the main report. 
. In the present section, the Committee will first provide a summary of the key events of the Cyber Attack and the incident response by IHiS and SingHealth. The Committee will then present five Key Findings in respect of TORs #1 and #2. 
The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks. The attacker then lay dormant for several months, before commencing lateral movement in the network between December 2017 and June 2018, compromising a number of endpoints and servers, including the Citrix servers located in SGH, which were connected to the SCM database. Along the way, the attacker also compromised a large number of user and administrator accounts, including domain administrator accounts. 
Starting from May 2018, the attacker made use of compromised user workstations in the SingHealth IT network and suspected virtual machines to remotely connect to the SGH Citrix servers, and tried unsuccessfully to access the SCM database from the SGH Citrix servers.  
IHiS’ IT administrators first noticed unauthorised logins to the Citrix servers and failed attempts at accessing the SCM database on 11 June 2018. Similar malicious activities were detected on 12, 13, and 26 June 2018. Unknown to them, the attacker had obtained credentials to the SCM database on 26 June 2018. Starting from 27 June 2018, the attacker began querying the SCM database, stealing and exfiltrating patient records, and doing so undetected by IHiS. 
On 4 July 2018, an IHiS administrator for the SCM system noticed suspicious queries being made on the SCM database. Working with other IT administrators, ongoing suspicious queries were terminated, and measures were put in place to prevent further queries to the SCM database. These measures proved to be successful, and the attacker could not make any further successful queries to the database after 4 July 2018. 
. Between 11 June and 9 July 2018, the persons who knew of and responded to the incident were limited to IHiS’ line-staff and middle management from various IT administration teams, and the security team. On 9 July 2018, IHiS senior management were finally informed of the matter. On 10 July 2018, the matter was escalated to the Cyber Security Agency of Singapore (“CSA”), SingHealth’s senior management, the Ministry of Health (“MOH”), and the Ministry of Health Holdings (“MOHH”). 
. Starting from the night of 10 July 2018, IHiS and CSA carried out joint investigations and remediation. Several measures aimed at containing the existing threat, eliminating the attacker’s footholds, and preventing recurrence of the attack were implemented. In view of further malicious activities on 19 July 2018, internet surfing separation was implemented for SingHealth on 20 July 2018. No further suspicious activity was detected after 20 July 2018. 
. After being notified of the Cyber Attack, SingHealth’s senior management, in consultation with MOH, IHiS, CSA, and the Ministry of Communications and Information, began making plans for a public announcement, and for patient outreach and communications. 
. The public announcement was made on 20 July 2018, and patient outreach and communications commenced immediately thereafter. SMS messages were used as the primary mode of communication, in view of the need for quick dissemination of information on a large scale. Other modes of communication Executive Summary iv included letters, telephone hotlines, and various online channels. In total, SingHealth intended to contact 2.16 million patients. At the time of the Inquiry, 2.9% of the patients could not be contacted despite SingHealth’s efforts. 
The Committee has made numerous findings in respect of TORs #1 and #2. From these findings, the Committee has identified five Key Findings. 
Key Finding #1: IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack
  • A number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity, such as unauthorised logins to the Citrix servers, suspicious attempts at logging in to the SCM database, presence of unauthorised software, and suspicious queries being run on the SCM database. 
  • However, these same IT administrators could not fully appreciate the security implications of their findings, and were unable to co-relate these findings with the tactics, techniques, and procedures (“TTPs”) of an advanced cyber attacker. 
  • They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA. There was also no incident reporting framework in place for the IT administrators. 
  • Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings. 
Key Finding #2: Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack
  • The Security Incident Response Manager (“SIRM”) and Cluster Information Security Officer (“Cluster ISO”) for SingHealth, who were responsible for incident response and reporting, held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported. 
  • The SIRM delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management. 
  • The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm. 
  • The Cluster ISO did not understand the significance of the information provided to him, and did not take any steps to better understand the information. Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident. 
Key Finding #3: There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack
  • A significant vulnerability was the network connectivity (referred to in these proceedings as an “open network connection”) between the SGH Citrix servers and the SCM database, which the attacker exploited to make queries to the database. The network connectivity was maintained for the use of administrative tools and custom applications, but there was no necessity to do so. 
  • The SGH Citrix servers were not adequately secured against unauthorised access. Notably, the process requiring 2-factor authentication (“2FA”) for administrator access was not enforced as the exclusive means of logging in as an administrator. This allowed the attacker to access the server through other routes that did not require 2FA. 
  • There was a coding vulnerability in the SCM application which was likely exploited by the attacker to obtain credentials for accessing the SCM database. 
  • There were a number of other vulnerabilities in the network which were identified in a penetration test in early 2017, and which may have been exploited by the attacker. These included weak administrator account passwords and the need to improve network segregation for administrative access to critical servers such as the domain controller and the Citrix servers. Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack. 
Key Finding #4: The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group
  • The attacker had a clear goal in mind, namely the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients. 
  • The attacker employed advanced TTPs, as seen from the suite of advanced, customised, and stealthy malware used, generally stealthy movements, and its ability to find and exploit various vulnerabilities in SingHealth’s IT network and the SCM application. 
  • The attacker was persistent, having established multiple footholds and backdoors, carried out its attack over a period of over 10 months, and made multiple attempts at accessing the SCM database using various methods. 
  • The attacker was a well-resourced group, having an extensive command and control network, the capability to develop numerous customised tools, and a wide range of technical expertise. 
Key Finding #5: While our cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable
  • A number of vulnerabilities, weaknesses, and misconfigurations could have been remedied before the attack. Doing so would have made it more difficult for the attacker to achieve its objectives. 
  • The attacker was stealthy but not silent, and signs of the attack were observed by IHiS’ staff. Had IHiS’ staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives. C
The Committees recommendations are prefaced with the comment that
The Committee’s TORs also include recommending measures to (i) enhance the incident response plans for similar incidents (“TOR #3”); (ii) better protect SingHealth’s patient database system against similar cyber attacks (“TOR #4”); and (iii) reduce the risk of such cyber attacks on public sector IT systems which contain large databases of personal data, including in the other public healthcare clusters (“TOR #5”). The Committee’s recommendations on these TORs are set out in Part VII of the main report. 
The Committee makes sixteen recommendations, comprising seven Priority Recommendations and nine Additional Recommendations, all of which have been explored and examined in great detail. 
The seven Priority Recommendations include strategic and operational measures to uplift the cybersecurity posture of SingHealth and IHiS, and steps must be taken to implement these Priority Recommendations immediately. The nine Additional Recommendations relate to other specific concerns raised in the course of this Inquiry, including technical, organisational, training, and processrelated issues. The measures, which are similarly aimed at uplifting the cybersecurity posture of SingHealth and IHiS, must be implemented or seriously considered. 
. All sixteen recommendations are made in respect of TORs #3 and #4, and apply equally to TOR #5. They range from basic cyber hygiene measures to more advanced measures which may be more relevant after a certain level of cybersecurity maturity has been attained by the organisation. 
While some measures may seem axiomatic, the Cyber Attack has shown that these were not implemented effectively by IHiS at the time of the attack. For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present, and constantly evolving cybersecurity threats.
The Priority Recommendations are -
Recommendation #1: An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions
  • Cybersecurity must be viewed as a risk management issue, and not merely a technical issue. Decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements, and cost. 
  • IHiS must adopt a “defence-in-depth” approach.  Gaps between policy and practice must be addressed. 
Recommendation #2: The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats
  • Identify gaps in the cyber stack by mapping layers of the IT stack against existing security technologies. 
  • Gaps in response technologies must be filled by acquiring endpoint and network forensics capabilities. 
  • The effectiveness of current endpoint security measures must be reviewed to fill the gaps exploited by the attacker. 
  • Network security must be enhanced to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain. 
  • Application security for email must be heightened. 
Recommendation #3: Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect, and respond to security incidents
  • The level of cyber hygiene among users must continue to be improved. 
  • A Security Awareness Programme should be implemented to reduce organisational risk. 
  • IT staff must be equipped with sufficient knowledge to recognise the signs of a security incident in a real-world context. 
Recommendation #4: Enhanced security checks must be performed, especially on CII systems
  • assessments must be conducted regularly. 
  • Safety reviews, evaluation, and certification of vendor products must be carried out where feasible. 
  • Penetration testing must be conducted regularly. 
  • Red teaming should be carried out periodically. 
  • Threat hunting must be considered. 
Recommendation #5: Privileged administrator accounts must be subject to tighter control and greater monitoring
  • An inventory of administrative accounts should be created to facilitate rationalisation of such accounts. 
  • All administrators must use two-factor authentication when performing administrative tasks. 
  • Use of passphrases instead of passwords should be considered to reduce the risk of accounts being compromised. 
  • Password policies must be implemented and enforced across both domain and local accounts. 
  • Server local administrator accounts must be centrally managed across the IT network. 
  • Service accounts with high privileges must be managed and controlled. 
Recommendation #6: Incident response processes must be improved for more effective response to cyber attacks
  • To ensure that response plans are effective, they must be tested with regular frequency. 
  • Pre-defined modes of communication must be used during incident response. 
  • The correct balance must be struck between containment, remediation, and eradication, and the need to monitor an attacker and preserve critical evidence. 
  • Information and data necessary to investigate an incident must be readily available. 
  • An Advanced Security Operation Centre or Cyber Defence Centre should be established to improve the ability to detect and respond to intrusions. 
Recommendation #7: Partnerships between industry and government to achieve a higher level of collective security
  • Threat intelligence sharing should be enhanced. 
  • Partnerships with Internet Service Providers should be strengthened. 
  • Defence beyond borders – cross-border and cross-sector partnerships should be strengthened. 
  • Using a network to defend a network – applying behavioural analytics for collective defence. I
Additional recommendations are
Recommendation #8: IT security risk assessments and audit processes must be treated seriously and carried out regularly
  • IT security risk assessments and audits are important for ascertaining gaps in an organisation’s policies, processes, and procedures. 
  • IT security risk assessments must be conducted on CII and missioncritical systems annually and upon specified events. 
  • Audit action items must be remediated. 
Recommendation #9: Enhanced safeguards must be put in place to protect electronic medical records
  • A clear policy on measures to secure the confidentiality, integrity, and accountability of electronic medical records must be formulated. 
  • Databases containing patient data must be monitored in real-time for suspicious activity. 
  • End-user access to the electronic health records should be made more secure. 
  • Measures should be considered to secure data-at-rest. 
  • Controls must be put in place to better protect against the risk of data exfiltration. 
  • Access to sensitive data must be restricted at both the front-end and at the database-level. 
Recommendation #10: Domain controllers must be better secured against attack
  • The operating system for domain controllers must be more regularly updated to harden these servers against the risk of cyber attack. 
  • The attack surface for domain controllers should be reduced by limiting login access. 
  • Administrative access to domain controllers must require two-factor authentication. 
Recommendation #11: A robust patch management process must be implemented to address security vulnerabilities
  • A clear policy on patch management must be formulated and implemented. 
  • The patch management process must provide for oversight with the reporting of appropriate metrics. 
Recommendation #12: A software upgrade policy with focus on security must be implemented to increase cyber resilience
  • A detailed policy on software upgrading must be formulated and implemented. 
  • An appropriate governance structure must be put in place to ensure that the software upgrade policy is adhered to. 
Recommendation #13: An internet access strategy that minimises exposure to external threats should be implemented
  • The internet access strategy should be considered afresh, in the light of the Cyber Attack. 
  • In formulating its strategy, the healthcare sector should take into account the benefits and drawbacks of internet surfing separation and internet isolation technology, and put in place mitigating controls to address the residual risks. 
Recommendation #14: Incident response plans must more clearly state when and how a security incident is to be reported
  • An incident response plan for IHiS staff must be formulated for security incidents relating to Cluster systems and assets. 
  • The incident response plan must clearly state that an attempt to compromise a system is a reportable security incident. 
  • The incident response plan must include wide-ranging examples of security incidents, and the corresponding indicators of attack. 
Recommendation #15: Competence of computer security incident response personnel must be significantly improved
  • The Computer Emergency Response Team must be well trained to more effectively respond to security incidents. 
  • The Computer Emergency Response Team must be better equipped with the necessary hardware and software. 
  • A competent and qualified Security Incident Response Manager who understands and can execute the required roles and responsibilities must be appointed. 
Recommendation #16: A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered
  • IHiS should consider working with experts to ensure that no traces of the attacker are left behind.
In relation to the  implementation of its recommendations the Committee states
IHiS and SingHealth should give priority to implementing the recommendations. Adequate resources and attention must be devoted to their implementation, and there must be appropriate oversight and verification of their implementation. Most importantly, implementation of the recommendations requires effective and agile leadership from senior management, and necessary adjustments to organisational culture, mindset, and structure. 
These imperatives apply equally to all organisations responsible for large databases of personal data. We must recognise that cybersecurity threats are here to stay, and will increase in sophistication, intensity, and scale. Collectively, these organisations must do their part in protecting Singapore’s cyberspace, and must be resolute in implementing these recommendations.