Australian Style Pty Ltd v .au Domain Administration Ltd

AT MELBOURNE
COMMERCIAL AND EQUITY DIVISION
COMMERCIAL COURT

No. 6004 of 2009

---

---

CONTRACT – Regulatory context – Domain name registrar agreement between registrar and regulator – Whether ‘security breach’ of registrar’s systems – Obligation on registrar to give regulator immediate notice of security breach – Whether breach of obligation capable of remedy – Held: breach not capable of remedy – Express obligation to act in good faith – Whether breach of obligation to act in good faith capable of remedy – Held: breach not capable of remedy – Relevant principles discussed. 

---

TABLE OF CONTENTS

Parties and introduction.................................................................................................................... 2

The domain name registration system........................................................................................... 2

The registrar agreement.................................................................................................................... 7

The 2007 security incident................................................................................................................ 9

The 2009 security breach................................................................................................................. 12

Events following disclosure of the 2009 security breach.......................................................... 13

Was the 2007 security incident a security breach requiring immediate notice to auDA?... 35

Was the failure to give notice a breach capable of remedy?.................................................... 42

Was there an agreement to the effect alleged by Australian Style?........................................ 47

Was auDA entitled to terminate the registrar agreement?........................................................ 50

Was there a subsequent event of default justifying termination of the registrar agreement?     64

Conclusion and orders.................................................................................................................... 68

HIS HONOUR:

Parties and introduction

1. The plaintiff, Australian Style Pty Ltd, is one of a group of companies owned and controlled by Nicholas Bolton (‘the Australian Style group’).  According to Mr Bolton, the Australian Style group conducts a diverse range of information technology, telecommunications and associated businesses.  Relevantly, Australian Style was appointed by the defendant, in circumstances described below, as a registrar of internet domain names bearing the country code ‘.au’ (‘.au domain names’). 

1. The defendant, .au Domain Administration Limited (‘auDA’), is a company limited by guarantee.  It is a not‑for‑profit corporation that acts as a regulatory body responsible for administrating the system by which .au domain names are registered, maintained and monitored (the ‘.au domain name system’).  In that capacity, auDA accredited Australian Style as a person authorised to provide ‘registrar services’ to the owners of websites with .au domain names. 

1. auDA and Australian Style also entered into a ‘registrar agreement’.  That agreement governs the entitlement of Australian Style to continue its business of providing registrar services. 

1. In the circumstances appearing below, auDA terminated the registrar agreement and withdrew Australian Style’s accreditation as a registrar. 

1. In this proceeding, Australian Style challenges auDA’s actions and claims relief entitling it to continue operating its business as a registrar of .au domain names.  Pending the hearing and determination of this proceeding, interlocutory orders were made by the Court entitling Australian Style to continue operating that business. 

The domain name registration system

1. The registration of worldwide internet domain names is controlled by a not‑for‑profit corporation, incorporated in California in the United States of America known as ICANN (the Internet Corporation for Assigned Names and Numbers).  In essence, ICANN is the body that provides technical co‑ordination of the internet throughout the world and, in particular, is responsible for the internet domain name system. 

1. Following endorsement by the Commonwealth government, auDA was appointed by ICANN as the entity to administer .au domain names.  At the time, the Commonwealth government wrote to ICANN and stated that its endorsement was contingent upon auDA demonstrating its ability to be inclusive and accountable to members of the internet community, to enhance benefits to internet users through the promotion of competition, fair trading and provisions for consumer protection and support, and to represent the Australian internet industry.  Further, the Commonwealth government’s letter of endorsement states that such endorsement is subject to auDA operating within the provisions of its constitution, notes that the .au domain name system is a public resource to be administered in the public or common interest, and specifies that its endorsement is subject to it retaining ultimate authority for the management and administration of .au domain names.  The Commonwealth government has retained reserve powers to take control and oversee electronic addressing of .au domain names.[1] 

   [1]Telecommunications Act 1997 (Cth), Division 3 Part 23, ss 475-476.

1. Following the government’s endorsement, ICANN appointed auDA to administer the .au domain name system for the benefit of the Australian internet community.  This was done pursuant to a sponsorship agreement which, among other things, commits auDA to administer the system in the interests of the global internet community. 

1. Relevantly, the .au domain name system administered by auDA involves the following elements:

(1)       auDA has licensed a separate company, AusRegistry Pty Ltd, to operate a register of .au domain names.  Registration of a domain name entitles the registrant to exclusive use of that domain name for a two year period.  That exclusive right can be renewed for further periods.  Upon registration or renewal, a small fee is payable to AusRegistry and a small licence fee is payable to auDA. 

(2)       Neither auDA nor AusRegistry operate a business of selling .au domain names.  .au domain names are marketed and sold by accredited registrars who have entered into a ‘registrar agreement’ with auDA and, as appears below, by any ‘resellers’ with whom they deal.  Prior to the termination of the registrar agreement with Australian Style, 27 companies had been accredited by auDA to act as registrars. 

(3)       In order to register a .au domain name on behalf of a client, a registrar must register the domain name in the registry database maintained by AusRegistry.  Registrars perform this task through a direct computer link with the registry database, known as an ‘EPP interface’.  The EPP interface allows a registrar to ascertain whether a proposed .au domain name is available, to register a new domain name or, if the registrar is the ‘registrar of record’ for that domain name, to make amendments to an existing domain name.  Once a domain name is registered, the owner is referred to as a ‘registrant’. 

(4)       Commonly, registrars enter into arrangements with third parties known as ‘resellers’.  Resellers engage in the business of selling domain names, and deal with registrars to effect registration.  The financial arrangements between registrars and resellers are not relevant. 

(5)       Once a domain name has been registered, the registrant may choose to transfer the management of that domain name to another registrar of record. 

(6)       auDA does not itself provide domain registration services to the public.  However, it is the default registrar of record for its own domain name (auda.org.au) and temporarily becomes the default registrar of record for the domain names of registrants if the accreditation of their registrar of record is suspended or terminated.  In such cases, auDA remains the registrar of record until the registrants appoint a new registrar to manage their domain names. 

1. The constitution of auDA recognises the purposes for which auDA exists.  Relevantly, its objects are stated in the following terms:

3.1      Principal Purposes

The principal purposes of auDA are:

a.to be the administrator of, and the Australian self regulatory policy body for [.au domain names];

b.to maintain and promote the operational stability and utility of [.au domain names] and more generally, the Internet’s unique identifier system, and to enhance the benefits of the Internet to the wider community;

c.to ensure a cost effective administration of [.au domain names];

d.to develop and establish a policy framework for the development and administration of [.au domain names] including:

…

iii.rules governing the accreditation of registrars and registry operators;

…

f.to liaise with national and international bodies on issues relating to the development and administration of domain name systems.

g.to establish appropriate complaints handling and dispute resolution processes to provide for conciliation or redress of grievances on matters associated with the administration of [.au domain names]. 

3.2Activities

… auDA will seek to achieve its principal purposes as set out in clause 3.1, through:

a.ensuring the continued operational stability of the domain name system in Australia;

b.establishing mechanisms to ensure it is responsive and accountable to the supply and demand sides of the Australian Internet Community;

c.the promotion of competition in the provision of domain name services;

d.the promotion of fair trading;

e.the promotion of consumer protection;

f.adopting open and transparent procedures which are inclusive of all parties having an interest in use of the domain name system in Australia;

g.ensuring its operations produce timely outputs which are relevant to the needs of the Australian Internet Community.

1. Since October 2000, the Chief Executive Officer of auDA has been Christopher Disspain.  As a result of his position as Chief Executive Officer of auDA, Mr Disspain has been appointed as the chair of the ‘Country Code Names Supporting Organisation’.  The role of that organisation is to review and develop recommendations on country code domain names and to advise ICANN.  It is an international organisation. 

1. auDA performs a range of consumer protection activities in order to maintain the stability and integrity of the .au domain name system, including:

(1)       reviewing and updating published policies.  The published policies of auDA are binding upon registrars, resellers and registrants.  They are updated as new issues arise; 

(2)       imposing sanctions upon registrars and resellers for contraventions of registrar agreements and published policies; 

(3)       issuing consumer alerts; 

(4)       undertaking public education campaigns; 

(5)       conducting thorough pre‑accreditation vetting of potential registrars; 

(6)       monitoring compliance by accredited registrars with registrar agreements, published policies and accreditation standards by way of regular audits and reviews; 

(7)       liaising with Commonwealth authorities to advise on the security and integrity of the .au domain name system; and 

(8)       convening its independent Security and Stability Advisory Committee to advise its board on overarching security and stability issues.   

The registrar agreement

1. Australian Style met auDA’s accreditation criteria in August 2002.  By a registrar agreement made on 8 August 2002, Australian Style (trading as ‘Bottle Domains’) was licensed by auDA to operate as a registrar in connection with the .au domain name system. 

1. The registrar agreement contains the following relevant terms:

(1)       Australian Style is required to meet certain defined ‘Accreditation Criteria’ for the duration of the registrar agreement, and warrants that it will continue to meet those criteria.[2]

[2]Clause 3. 

(2)       ‘Accreditation Criteria’ is defined as follows:

Accreditation Criteria means the requirements specified by auDA from time to time in relation to the minimum criteria which must be satisfied by a person in order for that person to be auDA Accredited. 

(3)       Australian Style is required to comply with all of auDA’s published policies in force from time to time, including variations to those policies, and with any code of practice developed by auDA.  The published policies and code of practice are to be treated as if incorporated into the registrar agreement.  In the case of any inconsistency, the published policies are to have first priority, then the code of practice and then the provisions of the registrar agreement.[3] 

[3]Clause 7. 

(4)       Clause 14.1 imposes a number of positive obligations upon Australian Style.  Relevantly, clause 14.1 provides that Australian Style must:

14.1.1act in good faith in its dealings with auDA, the Registry Operator, other registrars and each Registrant; 

14.1.2do all things necessary to ensure that during the Term, it continues to meet the Accreditation Criteria; 

14.1.3immediately give auDA notice of any security breaches affecting the Registrar or any part of its systems;[4]

[4]Emphasis added. 

(5)       Clause 19.1 imposes general obligations upon auDA.  Those obligations affect its role as administrator of the .au domain name system and the exercise by it of any of its powers or duties under the registrar agreement.  Clause 19.1 provides that auDA must, with respect to all matters that impact the rights, obligations or role of Australian Style:

19.1.1exercise its responsibilities in good faith and in an open and transparent manner; and

19.1.2not unreasonably restrain competition and, to the extent possible, promote and encourage robust competition; and

19.1.3not apply standards, policies, procedures or practices arbitrarily, unjustifiably, or inequitably; and

19.1.4not single out the Registrar for disparate treatment unless justified by substantial and reasonable cause; and

19.1.5ensure, through its reconsideration and independent review policies, adequate opportunity for the Registrar to contribute to auDA’s standards, policies, procedures or practices.[5] 

[5]Emphasis added. 

(6)       Clause 23.1 of the registrar agreement defines an ‘Event of Default’ as:

23.1.1  an Insolvency Event; or

23.1.2the Registrar does not continue to meet the Accreditation Criteria; or

23.1.3any amount due and payable by the party under this document is in arrears for 30 days after formal demand has been made; or

23.1.4the party commits a breach of this document which is not capable of being remedied; or

23.1.5the party commits a breach of this document and fails to rectify that breach within 30 days after receipt of written notice specifying the breach and requiring rectification; or …[6]

(8)       Clause 23.2 of the registrar agreement specifies the powers of auDA in the event that an Event of Default occurs.  Relevantly, clause 23.2.5 gives auDA the power to terminate the registrar agreement by notice in writing given at any time following an Event of Default.  The parties agree that any exercise of this power of termination is subject to the general obligations imposed on auDA by clause 19.1.  It is also common ground that auDA may not terminate for a breach which is capable of remedy unless it has first served a 30 day notice under clause 23.1.5 and the breach has not been remedied within that 30 day period. 

(9)       auDA is entitled to suspend or terminate the accreditation of Australian Style ‘if auDA considers that an Event of Default has occurred in respect of [Australian Style].’[7]  The exercise of this power is also subject to auDA’s general obligations. 

1. A principal issue for determination in this proceeding is whether the breach relied upon by auDA as justifying termination was capable of remedy.  The breach relied upon is the failure of Australian Style to give auDA immediate notice of circumstances in April 2007 which auDA contends, and Australian Style denies, constituted a ‘security breach’ affecting Australian Style or its systems.  As there is a substantial dispute as to whether the relevant events constituted a security breach within the meaning of clause 14.1.3, I will refer to them neutrally as ‘the 2007 security incident’. 

The 2007 security incident

1. Aust Domains International Pty Ltd (‘Aust Domains’) is an accredited registrar of .au domain names, and a competitor of Australian Style. 

1. In 2004, Australian Style licensed Aust Domains to use software developed by Australian Style in connection with the provision of registrar services by Aust Domains to its customers.  Accordingly, both Australian Style and Aust Domains were using the same software to manage .au domain names for which they were the registrar of record. 

1. On 10 April 2007, Ryan Tabarra, the Chief Executive Officer of Aust Domains, telephoned Mr Bolton.  In an affidavit sworn by Mr Bolton in support of an application for interlocutory relief, he described the telephone conversation and subsequent events in the following terms:

18On 10 April 2007 I received a telephone call from Ryan Tabarra, the CEO of Aust Domains who informed me that:

(a)Aust Domains had employed a software developer to review the source code and through this review he had identified a vulnerability in the system that they used under licence, in that he was able to access via a PHP injection and download a “table structure” from the system.  A table structure is simply, as the name suggests, the format or structure of a table.  It does not contain any data;

(b)as [Australian Style] also used the same system, the developer attempted to access [Australian Style’s] system to identify if it also had a similar vulnerability;

(c)he had identified that [Australian Style] did in fact have the same vulnerability; he claimed that he obtained only non confidential data in our system to verify the vulnerability.  There was no indication that any sensitive customer data was obtained. 

(d)Aust Domains had developed a “patch’ to fix the security flaw and could provide that to [Australian Style] for a fee; and

(e)During that call, Ryan Tabarra gave me an undertaking that Aust Domains had destroyed all material obtained by reason of the access of [Australian Style’s] system. 

19[Australian Style] subsequently obtained the patch from Aust Domains and applied it to its system.  Aust Domains provided the patch free of charge pursuant to the Software Agreement. 

20There is no evidence to suggest that the patch applied at that time was unsuccessful in fixing the security flaw and to the best of my knowledge no other unauthorised access has been made by any party. 

21At the time, I did not consider the above events to constitute a “security breach” (whatever that phrase may mean) for the following reasons:

(a)it was only through the extensive knowledge and experience of Aust Domains in using the similar software that allowed it to identify the security flaw in its, and [Australian Style’s], systems.  Accordingly it was extremely unlikely that an external party would have been able to gain access to [Australian Style’s] systems given the significant level of knowledge required;

(b)it was my understanding that the only information obtained by Aust Domains was “table information data” which was merely system data and not in any way confidential nor related to [Australian Style’s]  customers’ personal details;

(c)in effect, Aust Domain had simply identified a security flaw in our system (which we were previously unaware of) and provided the means by which that flaw could be remedied;

(d)Aust Domains gave undertakings the information which it obtained had been destroyed;

(e)even if Aust Domain had obtained confidential information it would be bound by the confidentiality agreement contained in the Software Agreement as well as the obligations of non disclosure of confidential information by virtue of being an accredited registrar; and

(f)[Australian Style] was able to obtain and immediately apply a patch to the system to prevent any further access.

22In those circumstances, it was my view that there was no obligation on [Australian Style] to notify auDA of these events because there had not been a “security breach”.[8] 

1. Notwithstanding Mr Bolton’s view that there had been no unauthorised access to the private information of Australian Style or that of its registrants, and therefore no security breach, he nevertheless took steps ‘as a matter of prudency[sic]’ to change the Australian Style passwords for access to its private information.  He said that he did not consider it necessary to also change the passwords of registrants, because he believed that their passwords had not been accessed.  That explanation was wholly unsatisfactory. 

1. In oral evidence, Mr Bolton described the ‘security flaw’ in the following terms:

We believe the flaw was the ability of someone with intimate knowledge of our software to insert a very specific code into a form on our website that would return results to them.  So with the knowledge of what code to write and where to look within our system they were able to return data back to them and that may nonsensical data or it may be other data.

1. Mr Bolton said that the flaw could be exploited through a web browser and that the exploitation of such a flaw is known as a ‘PHP injection’. 

1. In oral evidence, Mr Bolton explained that a ‘table structure’ –

is like a directory system as to how the database is put together.  It doesn't actually contain any customer data or any confidential data whatsoever.  It's just a [schema]…

1. As appears above, Mr Bolton took the view that the 2007 security incident did not constitute a ‘security breach’ within the meaning of the registrar agreement and that, accordingly, Australian Style was under no obligation to notify auDA of the 2007 security incident.  As appears below, auDA takes a different view.  It contends that the 2007 security incident was a ‘security breach’ within the meaning of the registrar agreement and, in addition, that the failure of Australian Style to notify it of that security breach was an event of default that is not capable of remedy. 

The 2009 security breach

1. During the week commencing 26 January 2009, Mr Disspain was contacted by a representative of the Australian High Tech Crime Centre operated by the Australian Federal Police (‘AFP’).  auDA and this division of the AFP have an agreed information exchange protocol. 

1. The AFP officer told Mr Disspain that the database of one of auDA’s accredited registrars had been offered for sale on the internet.  The officer told Mr Disspain that he was not certain of the identity of the registrar and provided certain information to Mr Disspain.  As a result, Mr Disspain concluded that the registrar was highly likely to be Australian Style. 

1. The officer informed Mr Disspain that the information being offered for sale appeared to include domain name passwords and credit card details of registrants.  He asked Mr Disspain to keep the AFP investigation confidential, including from Australian Style.  Mr Disspain asked if he could inform AusRegistry about the issue and arrange to have all of the domain names managed by Australian Style monitored for any unusual activity.  The officer agreed and monitoring commenced almost immediately. 

1. The AFP kept Mr Disspain informed of its investigations. 

1. On 5 February 2009, an arrest was made by the AFP as a result of their investigations.  Following this, an AFP officer contacted Mr Bolton and told him that a man had been arrested in respect of offers made on the internet for the sale of the Australian Style database.  On this occasion, Mr Bolton had no doubt that a security breach had or may have occurred in connection with the private customer information maintained by Australian Style on behalf of registrants.  I will refer to these events as the ‘2009 security breach’. 

Events following disclosure of the 2009 security breach

1. At 8:15 pm that evening, Mr Bolton e-mailed Mr Disspain and notified him of ‘what could potentially be a serious security breach’.  Mr Bolton gave his mobile number and said he would be available ‘any time’ to discuss the matter with Mr Disspain. 

1. It appears that Mr Disspain was unable to reach Mr Bolton on his mobile that evening, so he sent him an e-mail in the following terms:

Nick

Have tried to call and sent you an SMS but no response.  I am aware of your ‘potential’ security breach and have been for some time.  As of this evening when we received confirmation of action under the AFP investigation, all 4 of your registrars have been blocked from making changes to any of your existing names under management.  We intend to take further action in the morning to protect the integrity of your customers data and the [.au domain name system] generally.  I suggest you arrange to be at our office at 10 30 and I suggest you bring your lawyers with you.

Regards

Chris Disspain

1. The reference in Mr Disspain’s e-mail to ‘all 4 of your registrars’ reflects the fact that there are three other companies in the Australian Style group which are accredited by auDA as registrars in connection with the .au domain name system.  The four registrars under the control of Mr Bolton are:

(1)       Australian Style, trading as ‘Bottle Domains’.  Australian Style is  referred to as ‘Bottle’, and sometimes ‘Bottle Domains’, in relevant correspondence referred to below. 

(2)       Bottle Domains Pty Ltd.  References in relevant correspondence to ‘Bottle’ or ‘Bottle Domains’ often include references to both Australian Style and Bottle Domains Pty Ltd. 

(3)       Domain Central Pty Ltd.

(4)       Explorer Domains Pty Ltd.

1. A meeting took place at auDA’s offices on the morning of Friday 6 February 2009 (the ‘6 February meeting’).  The meeting was attended by Mr Disspain, Jo Lim, the Chief Policy Officer of auDA, and Craig Ng, the solicitor for auDA.  Mr Bolton and his solicitor, Erhan Karabardak, attended on behalf of Australian Style and the three related registrars.  Ms Lim prepared a note of the meeting in the following terms:

The AFP has advised that a copy of a database containing domain name and customer data from Bottle, Bottle Domains and/or Domain Central (“the Bottle Group”) has been offered for sale.  The AFP investigation is ongoing, but it is clear that there has been a security breach of the Bottle Group’s systems. 

As a precaution, auDA has instructed AusRegistry to reset all [passwords] for domains under the Bottle Group’s management.  In order to minimise any security risk to the registry, the Bottle Group’s EPP connections have been suspended pending an independent security audit.  In the meantime, the Bottle Group will be able to manage its domains manually via the registry portal. 

The Bottle Group will reset all customer login passwords.  Until the security problem has been fixed, the Bottle Group will verify all customer change requests by phone or email. 

It was agreed that auDA and the Bottle Group would work together to manage the security risk and present a consistent message to affected customers and the industry in general.  auDA and the Bottle Group will jointly write to customers on Monday 09/02/09 notifying them of the steps being taken to address the security breach.

Actions:

auDA to notify Aust Domains of a possible security risk to their systems.

The Bottle Group to:

§contact Vectra [Corporation Limited] to undertake a full security audit of the Bottle Group’s systems

§draft letter to customers and send to auDA for approval

§confirm in writing to auDA that Explorer Domains operates on an entirely separate system to the Bottle Group. 

1. Ms Lim’s note of the 6 February meeting was not the subject of any challenge to its accuracy.  However, it is incomplete in a material respect.  During the course of the meeting, Mr Bolton made a brief reference to the 2007 security incident and its possible relevance to the events being investigated by the AFP.  Mr Bolton swore he informed those present that any unauthorised access to the Australian Style data:

may have been obtained through the vulnerability which was exposed in April 2007.  I also advised auDA that in April 2007, I had been told that no data had been obtained but, in retrospect, it was conceivably possible that this data was obtained then.  I advised auDA that I had also provided this information to the AFP.[9] 

This evidence was not challenged in cross‑examination.  There is brief reference to this aspect of the 6 February meeting in the handwritten notes taken by the solicitors.  The notes indicate that Mr Bolton mistakenly referred to the 2007 security incident as having taken place in 2006.  The conversation on this topic was brief, with Mr Bolton offering few details as to what had occurred.  The details were provided later, after auDA’s solicitors requested answers to specific questions concerning the 2007 security incident.  Understandably, the parties were focussed upon what steps needed to be taken at that time in response to the information provided by the AFP. 

1. On the morning of Friday 6 February 2009, Mr Bolton also spoke on the telephone with an AFP officer.  The officer then sent an e-mail to Mr Bolton in which he:

(1)       formally requested that Mr Bolton provide him with all credit card numbers held on databases of his companies relating to the registrar businesses conducted by Australian Style and Domain Central.  The purpose of the request was to provide the credit card numbers to the issuing banks so that they could mitigate any risk to their customers; 

(2)       stated that the AFP believed the database was compromised on 30 June 2008 and again on 27 January 2009; 

(3)       stated that the AFP’s investigations revealed that two persons had access to the database and that, accordingly, ‘there is a possibility that all of your current database may have been compromised and that data may be available to a third party for illegitimate purposes’;

(4)       stated that, because the AFP could not confirm that credit card numbers held in the Australian Style or Domain Central databases had not been compromised, the failure to provide credit card numbers to the issuing banks would be ‘an unacceptable risk’. 

1. Mr Bolton did not immediately agree to provide the credit card numbers to the AFP so that they could notify the issuing banks.  He first raised some concerns that the Privacy Act 1988 (Cth) may prevent the provision of the information. He then sought to see a copy of the covering correspondence to be sent by the AFP to the issuing banks. He made some suggestions to the AFP to modify this proposed correspondence, by having the AFP stipulate that only some of the credit card information may have fallen into illegitimate hands. This is an early example of Mr Bolton seeking to downplay any risk that credit card information had been or may be fraudulently used.

1. Late in the afternoon on 6 February 2009, Ms Lim of auDA stated in an e-mail to Mr Bolton and his solicitor that, although auDA was keen to resolve the situation as quickly as possible, ‘none of the steps that we are taking should be construed or regarded as a waiver of any rights that auDA may have’. 

1. Also on 6 February 2009, in accordance with the agreed course of action discussed between representatives of auDA and Australian Style, Australian Style engaged Vectra Corporation Ltd to conduct a security review of the Australian Style, Bottle Domains Pty Ltd and Domain Central databases.  As Explorer Domains operated on an entirely separate system, its EPP access was not withdrawn. 

1. Pending the receipt of the security report from Vectra, the immediate concern was the provision by Australian Style to auDA of a draft e-mail, to be sent by Australian Style to its customers following approval by auDA.  In this regard, auDA contends that it agreed to a specific form of e-mail communication, and alleges that Mr Bolton, acting deliberately, recklessly or negligently, sent an e-mail in a substantially revised form.  Australian Style contends that an amended version of the e-mail had been agreed upon, but nevertheless acknowledges that it negligently sent an altogether different version.  The relevant facts appear below. 

1. The solicitor for Australian Style, Mr Karabardak, drafted an e-mail communication to clients over the weekend of 7 and 8 February 2009.  On the Monday morning, 9 February 2009, Mr Disspain e-mailed Mr Bolton and his solicitor at 8:48 am and stated: ‘We need to get this finalised this morning.  We cannot delay any longer.  Text please.’  Mr Karabardak responded that Mr Bolton was reviewing a second draft of the e-mail communication.  Later, at 10:05 am, Mr Karabardak sent an e-mail to Mr Disspain and Ms Lim apologising for any delay in providing the draft e-mail for auDA’s consideration and approval.  He referred to the fact that Mr Bolton was meeting security consultants during the course of the morning.  He continued:

To keep the ball rolling and subject to Nick’s instruction, the following is a compromise draft that went between Nick and I:

Dear Customer,

This email is to inform you that a number of Bottle Domains’ accounts have recently been the target of a security breach.  We cannot yet determine whether your account has been affected, however as a precautionary measure, we have taken the following steps (as part of our action plan) with your account:

-           Updated your account password;

-           Updated your domain name password at the registry;

You will receive your new password details in a separate email.

During this time, we recommend that you remain vigilant, and carefully monitor your domains, your account and your credit card transactions.  Please contact us immediately if you are aware of anything out of the ordinary. 

Whilst strict security is in place, we have taken further measures to enhance and protect your account security, including human verification of important registry updates.  We are working in conjunction with auDA, the Australian Government endorsed industry regulator, the relevant authorities, and independent security experts to review and consider even further measures to protect your important data. 

If you have any questions or concerns about the security of your account, please feel free to contact us at …

Regards

Bottle Domains

Please let us know what your thoughts are.[10] 

1. Following a telephone conversation between Mr Disspain and Mr Karabardak, Mr Karabardak sent an e-mail to Mr Disspain confirming that the text of the proposed e-mail had been approved by auDA, and Mr Disspain confirmed his approval by e-mail sent at 11:29 am.  I will refer to this form of proposed e‑mail as ‘the agreed e‑mail’.  In his e-mail, Mr Disspain required the agreed e-mail to be sent to all registrants of Australian Style, Bottle Domains Pty Ltd and Domain Central ‘within the next 2 hours to ensure arrival during business hours today.  Please confirm.’ 

1. About an hour later, commencing at 12:30 pm, there was a telephone conference between Mr Bolton, Mr Karabardak, Mr Disspain and Mr Ng.  At no stage did either Mr Bolton or Mr Karabardak raise the possibility that Australian Style would seek to revise the form of wording in the agreed e-mail.  According to Mr Ng’s handwritten notes, the agreed e-mail was discussed, and Mr Bolton advised the other participants in the telephone conference that Australian Style would ‘send our notice in the next hour’. 

1. Approximately one hour later at 1:34 pm, Mr Bolton sent an e-mail to Mr Disspain (the ‘1:34 e-mail’).  The 1:34 e-mail stated:

Hi Chris, as discussed, please see a summary document I prepared outlining our actions as a result of this event.  This was written prior to the latest set of info from the AFP, so the situation is a little less ambiguous now. 

1. Mr Disspain said that he read the 1:34 e-mail but has no recollection of reading the attached summary document.  To his recollection, he first read the summary document at a later time, once it became apparent that Mr Bolton was alleging that the summary document contained an amended version of the agreed e-mail, and that this amended version had been sent to Mr Disspain for approval.  

1. In the summary document, Mr Bolton said that only customers of Australian Style and Bottle Domains Pty Ltd would be notified of a security breach.  He asserted that there was ‘no reason to believe that any compromise of Domain Central has occurred’.  He then set out the text of an amended e-mail to be sent by Australian Style to its registrants.  That text excluded any reference to the need for registrants to monitor their credit card transactions.  The relevant paragraph in the agreed e‑mail had provided:

During this time, we recommend that you remain vigilant, and carefully monitor your domains, your account and your credit card transactions.  Please contact us immediately if you are aware of anything out of the ordinary.[11]

1. In the amended version contained in the summary document put forward by Mr Bolton, which I will call the ‘amended e‑mail’, this paragraph reads:

During this time, we recommend that you remain vigilant, and carefully monitor your account and domains.  Please contact us immediately if you are aware of anything out of the ordinary. 

1. The 1:34 e-mail contains no indication that the enclosed summary document included an amended e-mail to be sent to registrants.  The 1:34 e-mail states only that the summary document contains an outline of Australian Style’s ‘actions as a result of’ the 2009 security breach.  Further, the summary document makes no reference to the fact that Mr Bolton was proposing an important amendment to the text of the agreed e-mail. 

1. There was delay in sending any e-mail to Australian Style registrants.  By mid‑afternoon, Mr Disspain had lost patience.  He e-mailed Mr Bolton in the following terms:

Nick,

It is now 15.30 and I have received no indication that emails have been sent in the agreed form to Bottle registrants nor have I received any proposed text to Domain Central registrants. 

We agreed last Friday to delay sending information out until this morning and I have made it abundantly clear to you that this morning was a clear deadline.  I have been more than co-operative and patient and allowed you to stretch the time out until now. 

auDA is currently preparing its own text which we will commence sending to all Domain Central and Bottle registrants within the next hour. 

1. This e-mail prompted a rapid response from Mr Bolton:

Hi Chris,

I don’t feel that’s necessary.  Customers are not presently at risk, and we are working as quickly as possible to get this done. 

You don’t have a right to contact Domain Central customers on your own accord, you have no reason to suspect any security breach.  We have agreed that we are prepared to do this, I don’t feel auDA taking matters into their own hands is in the best interests of this issue.

Please see my proposed text for Domain Central customers below...

1. Mr Disspain was not satisfied.  He responded:

Nick

a)I still await a situation update on Bottle customers.  Has the email gone out.

b)The [Domain Central] text is NOT acceptable.  You should use the same text as your Bottle email but amended to indicate that you believe there has been no breach at [Domain Central].

We will continue to draft our own text and be ready to send this out by 16.30 in order to protect the security and stability of the .au system.

1. Shortly after this, at 3:57 pm, Mr Karabardak e-mailed Mr Disspain and others and stated:

As discussed with Craig [Mr Ng]:

1There is no issue with the Bottle email, it is with the technical guys to be sent out;

2The Domain Central revised wording is being re-written now – hope to have this finalised shortly. 

I think we are nearly there. 

1. Mr Disspain continued undeterred.  At 4:10 pm he e-mailed Mr Karabardak and Mr Bolton with the wording of the e-mail that auDA intended to send out that afternoon. 

1. Before the auDA e-mail could be sent, Mr Bolton e-mailed Mr Disspain at 4:34 pm and said that ‘the Bottle Domains e-mail will start hitting customers within 5 minutes’.  This apparently appeased Mr Disspain, who responded ‘Good.  Excellent.  Thank you.’

1. Shortly thereafter, the wording of the e-mail to Domain Central customers was also agreed. 

1. At 8:22 pm, Mr Bolton advised Mr Disspain by e-mail that e-mails had been sent to ‘Bottle customers’ (ie Australian Style and Bottle Domains Pty Ltd registrants), and that the Domain Central e-mails were progressing and should be completed within an hour or two. 

1. Mr Bolton said that he intended the e-mail to Australian Style customers would be in the form of the amended e‑mail contained in the summary document sent to Mr Disspain with the 1:34 e-mail.  He said that he understood this text had been agreed because he received no response from Mr Disspain to the 1:34 e-mail.  Even accepting this to be so, the e-mail in fact sent was in a different form altogether.  In particular, it omitted the paragraph recommending that registrants remain vigilant and monitor their domains, accounts and credit card transactions.  There were other changes which had the obvious intention of downplaying the seriousness of the security breach and seeking to reassure registrants that it was unlikely their private information had been accessed.  In evidence and submissions, the parties referred to this e‑mail as the ‘defective e‑mail’.  For convenience, I will adopt that description. 

1. Mr Bolton said that he did not intend the defective e-mail to be sent.  He said it was sent as a result of a ‘cut and paste error’ made by him.  He explained that two versions of the e‑mail were open on his screen at the time he gave instructions to the employee who was to send the e-mail to clients. 

1. The error was discovered by auDA the following morning.  Mr Ng, solicitor for auDA, informed Mr Bolton and his solicitor, Mr Karabardak, of the error and continued:

auDA is clearly disappointed that Bottle Domains has chosen to disregard arrangements put in place cooperatively between the parties in order to deal with this significant breach.  The arrangements were put in place (and agreed by auDA), in order to ensure that registrants are given all the relevant facts surrounding the security breach, and advices as to steps that needed to be taken to reduce any risks to the registrants.

Bottle Domains’ actions has now left auDA with no alternative but to issue its own communication to registrants, to remedy the situation, and in order to protect the integrity of the .au system.

As previously communicated to Bottle Domains, auDA reserves all its rights in relation to this matter.[12] 

1. Mr Bolton responded to Mr Ng in terms indicating that he understood that the text of the e-mail was ‘identical to agreed’, because he had copied and pasted it himself to the responsible staff.  Mr Bolton offered to send the e-mail again if required by auDA.  In Mr Bolton’s mind, this was an offer to send the amended e‑mail, not the agreed e‑mail. 

1. Mr Bolton then sent an e-mail to Mr Ng in which he said that he was ‘not sure what the confusion [was]’ and referred to the text of the amended e-mail contained in the summary document sent with the 1:34 e-mail. 

1. auDA then prepared its own e-mail to Australian Style clients.  At one stage, following a discussion with Mr Bolton in which Mr Disspain said that he would consider Mr Bolton’s position, Mr Disspain expressed the view (in an internal auDA e-mail) that he was prepared to omit a reference to the need for clients to monitor credit card transactions.  After further thought, however, he decided the reference was necessary. 

1. The auDA e-mail was sent out later on 10 February 2009. 

1. On the afternoon of 10 February 2009, Mr Disspain also issued a report to the board of auDA.  In this report, Mr Disspain summarised his understanding of the 2007 security incident.  That summary was based upon what he had been told by the AFP, and not on what he had been told by Mr Bolton.  The AFP’s understanding of the 2007 security incident was incorrect in some respects, but nothing turns on this.  Mr Disspain reported to the board that auDA had satisfied itself that the security of the Aust Domains systems was not affected because Aust Domains had ceased using the software licensed to it by Australian Style about six months previously, ‘and the AFP have confirmed that they have no evidence whatsoever to indicate any compromise of the old AustDomains system’.

1. The final matter arising from the 6 February meeting was completion and consideration of the security review to be undertaken by Vectra.  The Vectra report was completed on 18 February 2009.  It was critical of the security systems maintained by Australian Style, identified a number of significant vulnerabilities in those systems and recommended actions by Australian Style to address those vulnerabilities. 

1. Prior to completion of the final Vectra report, drafts were provided by Vectra to Australian Style.  Australian Style, in turn, provided copies of these draft reports to auDA. 

1. In circumstances where Mr Bolton knew that the Vectra report would be critical of Australian Style’s security systems, Mr Bolton sought to have Vectra provide a short letter certifying that, following a comprehensive review, it was ‘satisfied that the relevant system is not susceptible to the same security issue which caused the security breach incident affecting [Australian Style]’. 

1. In an e-mail to Vectra, Mr Bolton stated that this request emanated from auDA; to satisfy them that it was safe to reinstate Domain Central and Bottle Domains Pty Ltd.  There was further e-mail correspondence between Mr Bolton and Vectra concerning this issue.  Mr Bolton was cross‑examined to the effect that he was endeavouring to obtain a letter from Vectra with a view to withholding the final Vectra report from auDA.  In this regard, reliance was placed upon an internal e-mail to Mr Bolton from a technical employee of Australian Style.  In that e-mail, the employee referred to the numerous criticisms made by Vectra of Australian Style’s security systems and concluded ‘I am not inclined to send this document to auDA’.  In circumstances where drafts of the Vectra report were made available to auDA by Australian Style, and a copy of the final Vectra report was provided to auDA the day after it was received (19 February 2009), it is unnecessary to consider this cross‑examination further, or the submissions against Mr Bolton’s credibility based upon it.  Mr Bolton’s actions in this regard do not undermine his credit. 

1. The final Vectra report was provided to auDA by Mr Karabardak on behalf of Australian Style.  In his covering letter, Mr Karabardak sought to downplay the significance of the criticisms made by Vectra of Australian Style’s security systems.  Further, he sought to establish that the vulnerability which caused the 2009 security breach did not give rise to any security vulnerability in respect of the Domain Central database, because that database was completely separate from that of Australian Style.  In all the circumstances, Mr Karabardak requested on behalf of Australian Style that auDA immediately restore the EPP connections of Australian Style, Domain Central and Bottle Domains Pty Ltd. 

1. Subsequently, auDA agreed to restore the EPP connections of Australian Style, Bottle Domains Pty Ltd and Domain Central upon certain terms and conditions.  Australian Style accepted those terms and conditions.  It contends, and auDA denies, that the e-mail correspondence recording these arrangements constitutes an agreement by auDA to take no further action against it in respect of the 2007 security incident. 

1. In an e-mail letter from auDA’s solicitors to Australian Style’s solicitors dated 16 February 2009, auDA’s solicitors referred to a telephone conference on 13 February 2009, during which further details of the 2007 security incident were disclosed by Mr Bolton.  The letter records that on 13 February Mr Bolton said words to the effect that:

the security breach arose from an unauthorised person gaining unauthorised access to [Australian Style’s] systems, and result[ed] in that unauthorised person downloading and obtaining data – to which the unauthorised person was not entitled to download or obtain ‑ from [Australian Style’s] systems or database.

auDA’s solicitors stated that it was a matter of significant concern to auDA that Australian Style had not given it immediate notice of the 2007 security incident.  Accordingly, Australian Style was requested to provide a comprehensive report relating to the 2007 security incident as soon as possible, and in any event by close of business on Monday 23 February 2009. 

1. The solicitors for Australian Style responded by e-mail letter on 17 February 2009.  They asserted that the 2007 security incident did not constitute a security breach, but merely the discovery of a security vulnerability which had been ‘patched’.  In these circumstances, Australian Style’s solicitors asserted that the circumstances surrounding the 2007 security incident were ‘not relevant to the issues at hand’.  They expressed the view that, following the telephone conference on 13 February 2009, they understood that the EPP connections of Australian Style and related registrars would be restored once the Vectra report was provided to auDA. 

1. The solicitors for auDA responded on the following day, 18 February 2009.  They repeated the request for Australian Style to provide further information concerning the 2007 security incident.  As a separate matter, auDA’s solicitors stated that restoration of the EPP connections depended upon both the receipt of the Vectra report and upon auDA being reasonably satisfied that Australian Style had adequate processes and procedures in place to deal with security breaches. 

1. Australian Style’s solicitors responded on the same day.  They provided some further information relating to the 2007 security incident.  Relevantly, the letter stated:

Our client instructs that Aust Domains using the vulnerability obtained a ‘table structure’ (in 2007) in order to verify that the vulnerability was exploitable.  We are instructed that this data was subsequently destroyed.  Our client is not aware to the best of its knowledge, of any database or customer data being extracted as part of this exercise. 

Our client does not consider this as a security breach, as there was a contractual agreement with Aust Domains, a trusted party and auDA Accredited Registrar. 

The position of Aust Domains in this scenario is comparable to the relationship between Bottle Domains and Vectra. 

As our client does not consider the events of 2007 as a security breach, it maintains that it only became aware that the database was alleged to have been compromised in January 2009 when notified by auDA and the AFP. 

Our client maintains its position, that these matters are not relevant. 

1. On 19 February 2009, the solicitors for auDA wrote to the solicitors for Australian Style (the ‘19 February letter’).  In that letter, auDA’s solicitors stated, in clear terms, auDA’s position that the 2007 security incident constituted a security breach requiring immediate notice by Australian Style under clause 14.1.3 of the registrar agreement:

Meaning of security breach

First, let us clarify our client’s position. 

Our client does not consider that a “security breach” occurs simply because of the existence of a security vulnerability, in circumstances where no person has had unauthorised access to your client’s systems, or has had unauthorised access to data in your client’s systems, through that security vulnerability. 

Access to obtain ‘table structure’

In your letter dated 18 February 2009, you advised that Aust Domains “obtained a ‘table structure’ (in 2007)” from your client’s system through the vulnerability in your client’s systems.  It is clear that such ‘table structure’ could only be obtained by a person gaining access to your client’s systems. 

It is also clear to our client that a “security breach” would have occurred if a person was able to make unauthorised access to your client’s systems in order to obtain a ‘table structure’ from your client’s systems. 

Of course, such access would not amount to a “security breach” if it was made with your client’s prior knowledge and consent or authority, although your client does not claim this to be the case in your recent correspondence.  Indeed, in all our recent meetings, your client’s position (as our client understands it) is that Aust Domains was not entitled to access your client’s systems or to obtain the relevant data from your client’s systems. 

…

Request to provide information

As you are aware, our client is very concerned about the possible occurrence of a security breach affecting your client or its systems in 2007, and is fully investigating this matter. 

To assist our client in its investigations, and in accordance with clause 14.1.9 of the Registrar Agreement, our client has instructed us to request on its behalf, that your client provides the following information to us (on our client’s behalf) within seven days:

1.        (in reference to paragraph 3 of your letter dated 17 February 2009):

1.1please provide details of each vulnerability identified by Aust Domains, and the date when Aust Domains first notified Bottle Domains of such vulnerability;

1.2please identify the person from Aust Domains who advised Bottle Domains about the vulnerability;

1.3please provide details or copies of the correspondence between Aust Domains and Bottle Domains relating to the identification of the vulnerability, and any requests or requirements made by Aust Domains relating to the vulnerability;

1.4please identify the person from Aust Domains who provided Bottle Domains with the security patch;

1.5please provide details of the security patch provided, and in particular, what the security patch comprises;

1.6please provide details of the steps taken by Bottle Domains in order to apply the security patch, and any other steps taken by Bottle Domains to address the vulnerability, including the date when those steps were taken;

2.(in reference to paragraph 4 of your letter dated 17 February 2009): please provide the relevant provisions in the commercial contract which permitted Aust Domains or its employees to have access to Bottle Domains software or systems, or to access data from Bottle Domain’s systems;

3.(in reference to paragraph 3 of your letter dated 18 February 2009):

3.1please identify the person from Aust Domains who obtained the ‘table structure’;

3.2please provide details or copies of the correspondence between Aust Domains and Bottle Domains relating to the access to Bottle Domains’ ‘table structure’, and details of the ‘table structure’ obtained by Aust Domains;

3.3please provide details or copies of the correspondence between Aust Domains and Bottle Domains relating to the destruction of the ‘table structure’ data.

In relation to the final paragraph of your letter dated 18 February 2009, our client’s position, as it has advised your client consistently on numerous occasions, is that it will not consider authorising the restoration of any of your client’s EPP connection to .au registry, until at least such time that it receives a security report acceptable to it, which verifies that none of your client’s systems remains susceptible to the vulnerability which has resulted in the recent security breach. 

1. As appears above, auDA had previously reserved all of its rights in relation to the 2007 security incident and the 2009 breach.  In these circumstances, auDA’s request for further information concerning the 2007 security incident could only have been relevant to a decision by auDA as to what, if any, further action it would take in connection with the late disclosure of the 2007 security incident. 

1. Further, as a separate matter, the 19 February letter makes it plain that auDA was acting to ensure that no further security breach should take place.  In that regard, restoration of the EPP connections of Australian Style, Bottle Domains Pty Ltd and Domain Central was dependent upon auDA being satisfied that the security vulnerability which gave rise to the 2009 breach no longer existed.  auDA repeated this position by a further e-mail letter from its solicitors to Australian Style’s solicitors dated 20 February 2009.  In reply, by e-mail letter dated 24 February 2009, the solicitors for Australian Style provided a response prepared by the Australian Style group to the recommendations contained in the Vectra report.  That response included a detailed description of remediation works already undertaken by the Australian Style group. 

1. Following a consideration of Australian Style’s responses, the solicitors for auDA sent another e-mail letter, dated 26 February 2009 (the ’26 February letter’).  It is necessary to quote the 26 February letter in full:

Dear Mr Karabardak

.au Domain Administration Limited and Australian Style Group – Security Breach

We refer to your letter dated 24 February 2009.

Your letter included a report prepared by your client (ASG Report) in response to the security assessment report dated 18 February 2009 prepared by Vectra Corporation Limited (Vectra Report). 

The ASG Report outlines the steps which your client has taken, or will take, in response to the Vectra Report, and more particularly, with respect to clauses 3.1 (Recommendations – High Level) and 7 (Detailed Findings and Remediation) of the Vectra Report. 

In this letter, when we use the term “your client”, we are referring to each of Bottle Domains, Domain Central and Bottle.

Our client has considered your letter and the ASG Report.

Our client has instructed us to advise your client that it will authorise the restoration of your client’s EPP connection to the registry, in relation to Bottle Domains, Domain Central, and Bottle, if the following conditions are met, and continue to be met, to our client’s satisfaction:

1.Your client confirms, warrants and undertakes in writing to our client that:

1.1all information set out in the ASG Report, are true and correct in every particular;

1.2in relation to all remediation works which your client says it has carried out, those works have been carried out in a manner which substantially addresses the findings and recommendations of Vectra and set out in the Vectra Report;

1.3in relation to all remediation works which your client says it is in the process of carrying out, your client will take all necessary actions to carry out those works in an expeditious manner, in order to promptly address the findings and recommendations of Vectra, and to mitigate the risks identified by Vectra in the Vectra Report;

1.4your client will provide our client with a further report, in the form or substantially the form of the ASG Report, on or before 29 May 2009, which report must set out:

1.4.1all further steps taken by your client for the three month period up to the end of May 2009; and

1.4.2the progress of all remediation works which your client says it is in the process of carrying out in the ASG Report,

in addressing the findings and recommendations of Vectra in the Vectra Report. 

2.Our client being continuously satisfied that your client is proactively taking all reasonable and appropriate steps, in an expeditious manner, to address the findings and recommendations of Vectra as set out in the Vectra Report. 

3.Our client being satisfied that all findings and recommendations of Vectra as set out in the Vectra Report, have been substantially implemented and addressed by your client on or before 29 May 2009.

4.Our client being satisfied that your client has substantially responded to its request for information, as set out in our letter to you on 19 February 2009, relating to the 2007 security breach incident:

4.1to the best of its ability on the basis of the best available information, on or before 5.00 PM today; and

4.2in respect of matters which your client does not currently have sufficient information, on or before 5.00 PM on Friday 6 March 2009. 

5.Your client acknowledges that any authorisation by our client to restore your client’s EPP connection to the registry, will be made on the basis of the conditions set out above, and that our client reserves the right to direct the registry to disconnect each of your client’s EPP connection to the registry, in the event that there is any breach of any condition set out above.

Our client considers that the imposition of these conditions upon your client is reasonable and necessary, in light of recent events and the findings by Vectra, in order to ensure that the security of the registry is preserved, and that your client is taking all necessary and appropriate steps to mitigate any security risks to the registry’s data. 

Can you please seek your client’s instructions as to whether these conditions are acceptable to it, and if so, whether you have instructions, on your client’s behalf, to make the confirmation, warranty, undertaking and acknowledgment set out in this letter to our client. 

1. Following receipt of the 26 February letter, Australian Style gave the undertakings, warranties and acknowledgments sought, and provided a response to auDA’s request for information as contained in the 19 February letter.  auDA did not consider this was a substantial response, but nevertheless restored the EPP connections.  Australian Style contends that its response was substantial, that it therefore accepted all of the conditions specified by auDA in the 26 February letter, and that an agreement was therefore constituted.  It contends that auDA agreed to take no further action against it in respect of the 2007 security incident, in particular as a result of its failure to give auDA immediate notice of that incident. 

1. On the following day, 27 February 2009, auDA’s solicitors wrote to Australian Style’s solicitors.  In that letter, auDA distinguished between the immediate issue of restoring the EPP connections of Australian Style, Bottle Domains Pty Ltd and Domain Central, which was dependent upon it being satisfied as to the current security systems maintained by them, and its continuing investigation of the 2007 security incident.  The letter is in the following terms:

Dear Mr Karabardak

.au Domain Administration Limited and Australian Style Group – Security Breach

We refer to recent correspondence. 

In reliance upon your client’s warranties, undertakings and acknowledgments set out in our recent correspondence, our client has instructed us that it will, this morning, instruct the registry operator to restore your client’s EPP connections to the registry. 

In taking this course of action, our client does not waive any right which it has under the terms of the Registrar Agreement, including in particular, in relation to the 2007 incident of security breach.  Our client will continue to investigate the incident and to consider its position, and expressly reserves all its rights. 

Our client disagrees with your client’s characterisation of the 2007 incident of security breach as not being a “security breach”.  Our client’s position is that if an unauthorised person is able to have unauthorised access to your client’s systems and to obtain your client’s data, through a vulnerability in your client’s systems, then such an event clearly amounts to a security breach. 

The failure by your client to immediately give our client notice of such security breach is of serious concern to our client, and in our client’s view, a breach of clause 14.1.3 of the Registrar Agreement.  Our client looks forward to receiving your client’s full response to its request for information (set out in our letter to you on 19 February 2009), as soon as possible but before 5.00 PM on Friday 6 March 2009.

In the meantime, would you please seek your client’s instructions, and to advise our client (through our office), as to the reasons why your client did not consider that it was under a contractual obligation, and why it did not, immediately give our client notice of the 2007 incident of security breach when your client became aware of the incident.[13] 

1. As appears below, Australian Style now contends that auDA’s reservation of rights in this letter came too late, because the agreement for which it contends had already come into existence when it accepted the conditions specified in the 26 February letter.  However, Australian Style raised no such contention at the time.  Its solicitors responded that Australian Style was attempting to locate documents surrounding the 2007 incident, as requested by auDA.

1. By letter dated 6 March 2009, Australian Style’s solicitors provided further information concerning the 2007 security incident.  The solicitors contended that, as a result of the provision of this further information, Australian Style had ‘fully responded’ to the request for information contained in the 19 February letter.  auDA did not accept that this was so.  By letter dated 13 March 2009 from its solicitors, auDA repeated its contention that it viewed the 2007 security incident as a security breach and the failure of Australian Style to give immediate notice of the security breach as a breach of clause 14.1.3 of the registrar agreement.  Further, auDA’s solicitors stated that auDA considered that breach to be ‘incapable of rectification’ and that, accordingly, an event of default had occurred under the terms of that agreement.  In these circumstances, auDA’s solicitors stated that auDA was not satisfied Australian Style had provided a substantive response to the requests for information.  In order to make its position clear, auDA’s solicitors stated that the purpose of the request for information in the 19 February letter was to give Australian Style the opportunity to bring to auDA’s attention all relevant circumstances surrounding the 2007 security incident, so that auDA could take these into account in determining whether to exercise its rights under the registrar agreement.  The responses of Australian Style were characterised as ‘flippant, incomplete and inadequate’.  A further opportunity was given to Australian Style to provide all information requested in the 19 February letter and the 27 February letter. 

1. In response, Australian Style’s solicitors sought some further time to provide the requested information.  The further time was given.  On 24 March 2009, the solicitors for Australian Style wrote to auDA’s solicitors providing some, but not all, of the further information requested (the ‘24 March letter’).  In that letter, they also disputed that the responses previously provided were ‘flippant, incomplete and inadequate’, asserted that Australian Style had acted in good faith throughout, reasserted the contention that the 2007 security incident did not constitute a security breach within the meaning of clause 14.1.3 of the registrar agreement and stated that Australian Style ‘reserves its rights in every regard’.  However, the 24 March letter contains no assertion that Australian Style’s acceptance of the terms of the 26 February letter gave rise to any agreement by auDA to take no further action in respect of the failure of Australian Style to give immediate notice of the 2007 security incident. 

1. In the 24 March letter, Australian Style’s solicitors gave three principal reasons as to why Australian Style did not consider the 2007 security incident to constitute a security breach which was required to be notified to auDA under the registrar agreement:

1.The party involved, Aust Domains was an auDA Accredited Registrar, subject to contractual confidentiality obligations (in the licence agreement, and by separate Deed of Confidentiality);

2.There was never any indication or notification from Aust Domains that customer data had been compromised or obtained; and

3.That Aust Domains gave a verbal warranty or assurance that the table structure had been deleted. 

1. By e-mail letter sent on 31 March 2009, auDA’s solicitors recorded auDA’s understanding of the actions taken by Australian Style in response to the notification by Aust Domains of the 2007 security incident.  The letter stated:

From your response, it would appear to our client that:

1.In order to address the security vulnerability in your client’s computer system, as identified by Aust Domains and notified to your client on or about 17 or 18 April 2007, your client applied a security patch provided to your client by Aust Domains on or about 19 April 2007.

2.Your client did not take any other step to address the security vulnerability, or as a result of the security vulnerability, such as conducting an independent security audit of its systems, or notifying any customer or notifying our client. 

3.Despite the seriousness of the incident, in which a person was able to make an unauthorised access to your client’s computer system, and make an unauthorised download of the ‘table structure’ from your client’s computer system, your client did not obtain any form of written assurances or confirmation from the person that he or she has not made any other unauthorised access to your client’s computer system, or made any other unauthorised download of data from your client’s computer system, or that the person has permanently deleted the ‘table structure’ downloaded from your client’s computer system. 

If our client’s understanding, as set out above, which summarises the recent correspondence between us, is not correct, would you please let us know immediately?

Our client is continuing its investigations into the 2007 security breach, and is considering all your client’s responses to its enquiries to‑date. 

1. There was no response to this letter.  By 6 April 2009, auDA had determined that it would exercise its right to terminate the registrar agreement, and the accreditation of Australian Style as a registrar, as a result of the failure of Australian Style to give immediate notice of the 2007 security incident.  Having regard to the forthcoming Easter vacation, it was determined that notice of termination would be given on 15 April 2009.  On that day, formal notice of termination was given to Australian Style.  In that termination notice, auDA specified two grounds upon which the decision to terminate had been based.  First, ‘as a consequence of the occurrence of an Event of Default’.  Second, because auDA considered that an event of default had occurred under the terms of the registrar agreement.  Each of the two grounds was stated to operate independently of the other.  The accompanying letter specified the event of default relied upon and the other relevant factors taken into account by auDA in considering that it was appropriate to terminate the registrar agreement on the basis of that event of default.  In setting out this information, auDA complied with its general obligation under clause 19.1 of the registrar agreement to exercise its responsibilities ‘in an open and transparent manner’.  However, Australian Style maintains that, in deciding to serve the termination notice, auDA breached other general obligations upon it under that clause; by failing to act in good faith and by unjustifiably singling Australian Style out for disparate treatment.    

1. Two days later, on 17 April 2009, Australian Style made an ex parte application to this Court for interim orders permitting it to continue acting as a registrar pending a full hearing.  Interim orders were made on that day. 

1. On 20 April 2009, the auDA board met.  The court action was noted.  It was also noted that the possible termination of the registrar agreement with Australian Style, and its accreditation as a registrar, had been foreshadowed at the February meeting.  The board formally endorsed all actions taken by Mr Disspain on behalf of auDA to that time. 

1. On 22 April 2009, interlocutory orders were made by this Court which had the effect of entitling Australian Style to continue operating as a registrar pending the hearing and determination of the proceeding.  Directions were made for an early trial.

Was the 2007 security incident a security breach requiring immediate notice to auDA?

1. It is necessary to construe the relevant provisions of the registrar agreement in accordance with general principles of contractual interpretation.  This requires the Court to consider what reasonable persons in the position of the parties would have understood the words to mean by reference to the text of the agreement, the surrounding circumstances known to the parties and the purpose or object of the transaction.[14]  It is not necessary to first conclude that the words used are ambiguous before having regard to the surrounding circumstances and the purpose or object of the transaction.[15]  In interpreting the words and resolving any ambiguity, the Court should proceed in a common sense and non-technical way and give the agreement a commercially sensible construction.[16]  The Court should have regard to all of the words used in the agreement ‘so as to render them all harmonious’[17] and to ensure the congruent operation of the various components of the agreement as a whole.[18]

   [14]Pacific Carriers Ltd v BNP Paribas (2004) 218 CLR 451, [22]; Toll (FGCT) Pty Ltd v Alphapharm Pty Ltd (2004) 219 CLR 165, [40].

   [15]Gardiner v Agricultural and Rural Finance Pty Ltd [2007] NSWCA 235, [11]-[13].

   [16]Hillas & Co Ltd v Arcos Ltd [1932] All ER 494, 499, 503-4; Upper Hunter County District Council v Australian Chilling and Freezing Co Ltd (1968) 118 CLR 429, 437; Di Dio Nominees Pty Ltd, v Brian Mark Real Estate Pty Ltd [1992] 2 VR 732, 740; MLW Technology Pty Ltd v May [2005] VSCA 29, [76]-[81]; Mannai Investment Co Ltd v Eagle Star Life Assurance Co Ltd [1997] AC 749, 770-1.

   [17]ABC v Australasian Performing Right Association Ltd (1973) 129 CLR 99, 109.

   [18]Wilkie v Gordian Runoff Ltd (2005) 221 CLR 522, [16].

1. Australian Style contends that clause 14.1.3 of the registrar agreement is void for uncertainty and should be severed from the agreement.  It was submitted on behalf of Australian Style that the words ‘security breach’ in clause 14.1.3 are so unclear as to be effectively devoid of any meaning.  It was submitted that the words ‘could mean so many different things that it is impossible to settle upon the intended meaning without the Court, in effect, re-drafting the clause’.  Alternatively, it was submitted that a security breach within the meaning of clause 14.1.3 must involve:

(1)       confidential information being accessed without permission being given either before or after the event; and

(2)       that Australian Style must know that such unauthorised access has taken place. 

1. In order for a term of a contract to be void for uncertainty, the words used must be so obscure as to indicate that the parties did not in fact reach agreement.[19]  Australian Style did not dispute that this was so. 

   [19]Unique Lifestyle Investments Pty Ltd v Robertson [2005] VSC 347 at [88]-[94] (Dodds‑Streeton J, as she then was).

1. Both parties called expert evidence concerning the use of the term ‘security breach’ in the information technology industry.  The parties agreed that the relevant principles to be applied in considering that evidence were stated by Ipp J in Homestake Australia Limited v Metana Minerals NL.[20]  In that case, Ipp J reviewed the authorities concerning the reception and use of expert evidence to establish that parties to a contract intended that words used by them should bear the special meaning attributed to them in a particular trade or industry.  Ipp J concluded that a court should only adopt a trade or industry usage, which was different to the ordinary meaning of the words used, where the trade or industry usage is ‘so notorious, uniform and certain that any person making a contract affected thereby must be taken to have intended that the usage should form part of the contract.’[21]  In the circumstances of the case, Ipp J was not satisfied that the special meaning sought to be relied was clearly established as notorious, uniform or certain.[22]  In these circumstances, Ipp J stated:

Where it has not been proved that words in a contract have a special meaning in the particular industry in which they are said to be used, the words must be given the meaning they ordinarily bear …[23]

1. auDA relied upon the expert evidence of Ajoy Ghosh; Australian Style upon the expert evidence of Allan Watt.  Both experts are well‑credentialed and both gave evidence honestly and endeavoured to assist the Court. 

1. Mr Ghosh gave evidence that the information technology industry has adopted a common understanding of the phrase ‘security breach’ in the following terms:

A security breach is any event that has, or could, adversely impact the confidentiality, integrity or availability of information stored on a computer system. 

1. Mr Watt expressed the opinion that there is no common understanding of the phrase ‘security breach’ in the information technology industry in Australia or worldwide, but that ‘conceptually there must be a disclosure of something, otherwise it is not a security breach.’  Further, he gave evidence of some examples of the use of the phrase which indicate that a security breach usually involves the unauthorised disclosure of personal information. 

1. I do not accept that auDA has established a common understanding in the information technology industry of the phrase ‘security breach’ to the requisite degree of notoriety, uniformity or certainty.  The definition put forward by Mr Ghosh is his honest endeavour to encapsulate in a single definition all circumstances which may amount to a security breach.  I am not satisfied that this definition has widespread acceptance.  Rather, it is one which purports to summarise all of the many ways in which the phrase ‘security breach’ is used in the information technology industry. 

1. Nor do I accept the evidence of Mr Watt that, although there is no common understanding of the phrase ‘security breach’, a security breach must nevertheless involve the disclosure of some confidential personal information.  Once the Court rejects a suggested common industry usage, that is the limit to which expert evidence can go.  The matter then becomes one for the Court to interpret the words used in accordance with their ordinary meaning.[24] 

   [24]Ibid.

1. In my view, Mr Disspain was entitled to take this earlier conduct by Mr Bolton into account in reaching his conclusion that Australian Style had failed to act in good faith in connection with the sending of the defective e-mail. 

1. Mr Disspain’s belief that Mr Bolton had not acted in good faith in sending the defective e-mail was only one of the matters which he took into account in deciding to terminate the registrar agreement.  In making that decision, he was also motivated by a belief that Mr Bolton’s conduct, when considered as a whole, demonstrated that he did not understand the seriousness of the 2007 security incident and his failure to give immediate notice of it to auDA.  Mr Disspain’s belief in this regard was based upon a consideration of the conduct of Mr Bolton concerning the 2007 security incident and in response to the 2009 security breach.  The following principal matters informed his belief. 

1. First, Mr Disspain had a clear view that the 2007 security incident constituted a security breach within the meaning of clause 14.1.3.  His view was confirmed by discussions with relevant auDA staff and the chief technology officer of AusRegistry.  He could not understand how Mr Bolton could hold a contrary view.  To Mr Disspain, once he learned on 13 February 2009 that the Aust Domains consultant had penetrated the Australian Style database and downloaded information, there was no credible argument that a security breach had not taken place.  The fact that Mr Bolton did not understand this, and wished to argue that there was a mere unexploited security vulnerability, indicated to Mr Disspain that Mr Bolton did not understand the seriousness of a security breach and the fundamental need for auDA to be informed as soon as a registrar becomes aware of a security breach. 

1. It was submitted on behalf of Australian Style that it was totally unreasonable for Mr Disspain to give no credibility whatsoever to the contrary view expressed by Mr Bolton.  I do not accept that submission.  Mr Disspain’s view that the 2007 security incident constituted a security breach was correct.  If the putting forward of a contrary argument by Mr Bolton was the only factor supporting Mr Disspain’s decision to terminate the registrar agreement, there may be some merit in this submission.  However, it was only one of a number of factors informing Mr Disspain’s conclusion that Mr Bolton did not understand the seriousness of the 2007 security incident or of his failure to give notice to auDA of it.  For the reasons appearing below, that conclusion was a reasonable one for Mr Disspain to reach in all of the circumstances. 

1. Second, accepting the truth of what Mr Bolton had told auDA concerning the 2007 security incident and Australian Style’s response to it, Mr Disspain considered that the conduct of Australian Style demonstrated that it did not treat the 2007 security incident with sufficient seriousness.  Mr Disspain’s concerns in this regard were stated in the notice of termination by auDA of the registrar agreement, and expanded upon in his affidavit sworn in opposition to the application for an interlocutory injunction. 

1. The first matter which concerned Mr Disspain was the acceptance by Mr Bolton that the ‘security patch’ provided by Aust Domains would adequately address the ‘security flaw’ identified by Aust Domains.  In Mr Disspain’s view, it would have been prudent for Australian Style to conduct an independent security audit of its systems to verify that the security patch adequately addressed the security flaw, and to ascertain that there were no other security vulnerabilities or incidents of unauthorised access to its system.  At the time of Mr Disspain’s decision to terminate the registrar agreement, Australian Style had provided no information to auDA concerning steps which it now says were taken to verify the effectiveness of the security patch provided by Aust Domains.  This was notwithstanding a specific request by auDA in the 19 February letter to that effect.  Mr Disspain was entitled to conclude that, apart from applying the patch, no other steps had been taken by Australian Style in this regard.  Further, in their e‑mail letter of 31 March 2009, auDA’s solicitors stated that auDA understood the only step taken to address the security vulnerability identified by Aust Domains was the application of the security patch provided by Aust Domains, and that no other steps had been taken ‘such as conducting an independent security audit’.  In these circumstances, it is to be expected that, if Australian Style had taken other steps as Mr Bolton now says it did, it would have informed auDA of this fact promptly.  The fact that it did not do so raises serious doubts as to the veracity of Mr Bolton’s evidence that the security patch was thoroughly tested.  This is especially so in circumstances where auDA had made it plain to Australian Style that it viewed the failure by Australian Style to give it immediate notice of the 2007 security incident as a breach of clause 14.1.3 of the registrar agreement which was not capable of remedy and, accordingly, as an event of default. 

1. Mr Disspain’s concerns in this regard were set out in the notice of termination and in his affidavit in opposition to the application for an interlocutory injunction.  This lead Mr Bolton to swear in his affidavit in response that:

Before and after applying the patch, [Australian Style’s] software developers conducted its own thorough testing at the time to ensure that the security flaw was resolved.[38]

1. Further, in his evidence in chief, Mr Bolton expanded upon his evidence concerning the testing undertaken by Australian Style in 2007 to ensure that the security flaw was resolved: 

We thoroughly tested it through all our forms to ensure that we couldn't replicate such an incident.  We referenced as much material as we could on the web from the subject and we were satisfied that we had remedied the issue. 

1. I do not accept this evidence from Mr Bolton.  If such thorough testing had taken place, he would no doubt have informed auDA of it in response to the request contained in the 19 February letter or, at the very latest, by way of immediate response to the 31 March letter from auDA’s solicitors.  If such testing had taken place, the experts agreed that it ought to have been documented.  Yet no such documents were produced.  Further, Mr Bolton said that this testing was undertaken by three previous employees: John Spanos, Jay Lynch and Corin Lawson.  None of them was called to give evidence.  The only one who it was suggested may be unavailable was Mr Lynch, who is apparently travelling in China and has not responded to Mr Bolton’s attempts to contact him via Facebook.  I infer that the evidence of Mr Spanos and Mr Lawson would not have assisted Australian Style. 

1. The second matter which concerned Mr Disspain was the uncritical acceptance by Mr Bolton of oral assurances given to him by Mr Tabarra of Aust Domains that the only information accessed from the Australian Style system was the ‘table structure’, and that the copy taken of this information had been permanently deleted.  In Mr Disspain’s view, written assurances should have been sought and, in addition, a prudent registrar ‘would have required confirmation from the [unnamed] software developer directly as to what data was downloaded, and that the data had been destroyed’.[39]  In response to this, Mr Bolton gave evidence that Aust Domains could be trusted because, being another auDA accredited registrar, Aust Domains was ‘similarly bound to ensure the security and stability of the Registry system’.  As to the person who in fact downloaded the table structure, Mr Bolton swore that he did not believe it was necessary to seek any form of warranty or undertaking from him:

The “unnamed software developer” was an employee of AustDomains.  As such, I considered a warranty from its director sufficient to rely upon.  I also note, that as the admission of the incident was made by AustDomains and brought to our attention by them, we had no reason believe that they were not acting in good faith.[40] 

1. There was nothing unreasonable in Mr Disspain being concerned about the casual manner in which Mr Bolton says he sought assurances from Aust Domains; or about his failure to seek any assurances from the unnamed software developer.  Further, Mr Bolton said that he believed it was ethically inappropriate for Mr Tabarra to have charged Australian Style a fee for providing the security patch.  If Mr Bolton was concerned about Mr Tabarra’s ethics in this regard, he ought not to have accepted verbal assurances from him on such an important matter.  I make no finding that Mr Tabarra’s conduct in this regard was in fact ethically inappropriate.  

1. Third, Mr Disspain was concerned that Australian Style took no steps to notify its registrants that the security breach had occurred and that there was a potential risk to them of unauthorised access to their private information.  Nor did Australian Style take any steps to reset the passwords of its customers, as it did with its own password.  Once again, Mr Disspain’s concerns in this regard were justified.  Mr Bolton’s only explanation for not advising registrants was that he believed he was entitled to rely upon assurances from Aust Domains and that he did not consider there was any risk to registrants.  This response by Mr Bolton indicates the difficulty with his position.  The clear purpose of requiring Australian Style to give auDA immediate notice of security breaches was to enable auDA to consider what risks might arise from the security breach.  It was not for Mr Bolton to determine that the events constituting the security breach did not give rise to any security risk, and that it was accordingly unnecessary to provide notice of the security breach to auDA. 

1. Mr Disspain’s concerns about the response of Australian Style to the 2007 security incident were reasonable factors for him to take into account in deciding that the registrar agreement should be terminated. 

1. The final matter which concerned Mr Disspain was Mr Bolton’s apparent unwillingness to provide all information concerning the 2007 security incident to auDA when requested.  The delay in providing information about the incident, and the incomplete nature of the information provided, caused Mr Disspain to believe that Australian Style was simply in ‘protection mode’ and was not acting in good faith.  That belief was reasonable in all the circumstances. 

1. Looking at the facts as a whole, Mr Disspain concluded that Mr Bolton did not appreciate the significance of the requirement to notify auDA of security breaches as soon as possible.  It was submitted on behalf of Australian Style that Mr Disspain had no reasonable basis for reaching this conclusion.  Reliance was placed upon the fact that Mr Bolton gave immediate notice when he learned of the 2009 security breach.  However, this does not answer Mr Disspain’s concerns.  The fact remains that Mr Bolton persisted with an untenable argument that no notice was required of the 2007 security incident and, at the same time, was being uncooperative in providing a full response to auDA’s request for information concerning that incident.  Mr Disspain’s belief was in my view reasonably based.  There remained a risk that a future security breach may not be notified by Australian Style to auDA as required by clause 14.1.3.

1. Further to the above, Mr Disspain’s decision to terminate the registrar agreement was not made hastily.  Australian Style was given a full opportunity to provide relevant information and submissions as to why auDA should not exercise its power of termination.  The arguments put forward by Australian Style were considered.  The fact that Mr Disspain did not accept these arguments is not to the point.   There was nothing unreasonable about Mr Disspain’s decision to terminate the agreement.  He acted in good faith in doing so. 

1. My conclusion that auDA was entitled to terminate the registrar agreement depends upon my findings that the 2007 security incident constituted a security breach, and that the failure by Australian Style to give immediate notice of that security breach constituted a breach of the registrar agreement which was incapable of remedy.  It is accordingly unnecessary to consider auDA’s alternative case that, even if there was in fact no security breach, or if the failure to give immediate notice of a security breach was a breach capable of remedy, auDA nevertheless considered that to be the case and was accordingly entitled to terminate Australian Style’s accreditation as a registrar under clause 4.2 of the registrar agreement. 

1. It was also submitted on behalf of Australian Style that the termination of the registrar agreement by Mr Disspain was open to challenge because Australian Style had been singled out for disparate treatment without substantial and reasonable justification, in contravention of clause 19.1.4 of the registrar agreement.  I reject this submission, which was only faintly pressed in final submissions. 

1. Australian Style raised two matters for consideration in connection with its allegation of disparate treatment.  The principal matter relied upon was auDA’s failure to take action against Aust Domains.  It was submitted that Aust Domains breached its duty of good faith towards auDA when it undertook the unauthorised penetration into the Australian Style database.  Mr Disspain gave a credible and reasonable explanation for why no action had been taken against Aust Domains as a result of this conduct.  First, in his board report of 10 February 2009 Mr Disspain stated that auDA had satisfied itself that Aust Domains no longer used the Australian Style software containing the vulnerability which it had been able to exploit in 2007.  Second, there was no evidence that any person had obtained unauthorised access to the Aust Domains’ system by using that vulnerability.  Aust Domains had discovered the vulnerability as part of a review of its systems.  Accordingly, Aust Domains was not in breach of the registrar agreement by failing to report a security breach.  An unexploited security vulnerability is not, in Mr Disspain’s view, a security breach.  Third, Mr Disspain was of the view that Aust Domains had not breached any of auDA’s published policies.  Fourth, Mr Disspain said that auDA remained hampered in continuing its investigations of Aust Domains due to an ongoing police investigation into the 2009 security incident. 

1. Further, Mr Disspain’s decision to terminate Australian Style’s registrar agreement was based upon the range of factors discussed above.  There is no evidence that any of these other factors apply to Aust Domains. 

177.1The second matter relied upon to support the allegation of disparate treatment was the contention that Mr Disspain had demonstrated a personal animosity towards Mr Bolton. This contention was based upon evidence that, in 2002, Mr Disspain told a director of auDA, Peter Dean, that Mr Bolton was not a suitable person to be appointed a director of auDA and he would not support his nomination – ‘never in a million years’. According to Mr Dean, Mr Disspain did not give any reasons for this statement, and he did not press him to do so. Mr Disspain denied the conversation occurred. It was submitted on behalf of Australian Style that the Court should accept Mr Dean’s evidence and find that Mr Disspain had forgotten the conversation. I accept this submission. Mr Dean gave a good reason for remembering the conversation, stating that it was out of character for Mr Disspain. Although he acts as a reseller for registrars in the Australian Style group, it was not put to him that he was lying. However, even accepting Mr Dean’s evidence, the conversation does not, in the absence of evidence as to Mr Disspain’s reasons for making the comment, demonstrate personal animosity by Mr Disspain towards Mr Bolton at that time, and certainly not in 2009 when he decided to terminate the registrar agreement. In any event, even if there was some personal animosity by Mr Disspain stemming from 2002, he had an objectively reasonable basis for terminating the registrar agreement seven years later, as set out above.

Was there a subsequent event of default justifying termination of the registrar agreement?

1. The above findings make it unnecessary to consider an alternative case put forward by auDA to justify its right to terminate the registrar agreement.  However, as the matter was fully argued, I will briefly express my views. 

1. When auDA terminated the registrar agreement, it directed AusRegistry to disable Australian Style’s EPP connection and to transfer all Australian Style registrants to auDA, as a temporary registrar of record pending transfer to other accredited registrars of record. 

1. On 16 April 2009, Hansen J granted an interim injunction requiring the re‑transfer to Australian Style of domain names for which it acted as registrar of record at the date of termination. 

1. Subsequently, on 22 April 2009, Judd J extended that interim injunction until the hearing and determination of the proceeding or further order. 

1. The effect of the injunctions was to permit Australian Style to continue carrying on its registrar business pending determination of this proceeding. 

1. The obvious purpose of the injunctions was to preserve the status quo pending the hearing and determination of the proceeding.  As appears below, Australian Style acted to unilaterally disturb that status quo, without notice to auDA or the sanction of the Court.  Further, its actions in doing so were in breach of auDA’s published policy regarding transfers of registrants between registrars. 

1. During the currency of the injunctions, on 9 and 10 May 2009, Australian Style caused approximately 95% of the .au domain names for which it was registrar of record to be transferred from it to Bottle Domains Pty Ltd (the ‘unauthorised transfers’).  As appears above, Bottle Domains Pty Ltd is another registrar in the Australian Style group of companies and, in addition, also trades under the ‘Bottle Domains’ name.  

1. None of the registrants was consulted in advance of the unauthorised transfers.  The transfers were effected administratively by instructions given to AusRegistry by Australian Style.  Australian Style engaged in this conduct without giving prior notification to the defendant or to the Court. 

1. The obvious purpose of the unauthorised transfers was to defeat the efficacy of auDA’s termination of the registrar agreement in the event that the Court ruled in auDA’s favour following a trial.  Of course, success for auDA would mean that the injunctions would be discharged and auDA would be permitted to rely upon the notice of termination to cause the re‑transfer to itself, as a default registrar, all of the domain names for which Australian Style is the registrar of record. 

1. The unauthorised transfers were made contrary to auDA’s ‘Transfers (Change of Registrar of Record) Policy’, which requires express instructions in writing for the transfer of a domain name registration from one registrar to another.  Further, in the absence of consent from the registrant, a transfer to another registrar contravenes auDA’s ‘Domain Name Password Policy’ because it involves the disclosure of a registrant’s password to a third party. 

1. It was submitted on behalf of Australian Style that there had been no breach of auDA’s policies.  Australian Style relied upon an express term contained in its standard form agreement with registrants, which provides that it may transfer its rights or obligations to ‘anyone on notice to you’.  It was submitted by Australian Style that this required subsequent notice following a transfer, not prior notice.  For the purposes of argument, I accept that that may be so.  However, even if that be accepted, auDA’s policy still had to be complied with.  Otherwise, Australian Style would be in breach of the registrar agreement.  auDA’s policy is clear: a transfer requires the ‘gaining registrar’ to receive a written request for transfer from the registrant and not to process the transfer until it is affirmed by the registrant. 

1. It was submitted on behalf of Australian Style that the transfer policy does not apply to a transfer between registrars under common ownership and control, such as in this case.  I reject that submission.  Each of the registrars in the Australian Style group is a separate legal entity and conducts a separate business.  The fact that they may share facilities or staff is not to the point.  Mr Disspain said in evidence that auDA treats each registrar separately.  For that reason, it has terminated Australian Style’s registrar agreement only and, notwithstanding the conduct of Mr Bolton, has taken no action against the other three registrars in the Australian Style group. 

1. It was submitted on behalf of Australian Style that, even if the unauthorised transfers were in breach of auDA’s published policies, that breach was capable of remedy because the domain names could be transferred back from Bottle Domains Pty Ltd to Australian Style if a notice to remedy was given.  No notice to remedy was given.  Instead, auDA acted unilaterally and instructed AusRegistry to transfer the domain names back to Australian Style.  Accepting that there is force in this submission, it was submitted on behalf of auDA that the conduct of Australian Style in making the unauthorised transfers constituted a breach by Australian Style of its obligation to act in good faith in its dealings with auDA. 

1. It was submitted on behalf of auDA that it was bad faith for Australian Style to take advantage of the operation of the interlocutory injunction to effect the unauthorised transfers for the purpose of preserving the commercial advantage of acting as the registrar of record in respect of those domain names.  Reliance was placed upon the following matters:

(1)       The injunction was intended to preserve the status quo for all parties, not just to preserve the rights of Australian Style under the registrar agreement. 

(2)       Australian Style must have known that it was possible it could lose this proceeding, and that if it did auDA would re-transfer the domain names to it as default registrar of record, pending further transfer to other accredited registrars chosen by registrants. 

(3)       The interlocutory injunction was granted at the request of Australian Style.  It was submitted that the balance of convenience favoured granting injunctions because the business of Australian Style would otherwise be destroyed, people would lose their jobs, resellers would be put to enormous difficulty and the registrants would need to go to the trouble of changing registrars of record for no good reason if Australian Style was successful in setting aside the notice of termination. 

(4)       In his affidavit seeking injunctive relief, Mr Bolton swore that Australian Style was ‘finding it very difficult to convince [registrants] to transfer the registration of their domain names to another one of Australian Style group’s registrars’.  There was further evidence that Australian Style had made unsuccessful attempts to persuade its customers to transfer registration of their domain names to Bottle Domains Pty Ltd. 

1. These factors support the conclusion that the purpose of the unauthorised transfers was to defeat the efficacy of the notice of termination in the event that auDA succeeded at trial.  In my view, that conduct by Australian Style breached its obligation to act in good faith in its dealings with auDA, and such a breach is not capable of remedy.  Accordingly, were it necessary to do so, I would have made the declaration sought by auDA in its counter‑claim that it is entitled to terminate the registrar agreement as a result of a breach by Australian Style of its obligation to exercise good faith in its dealings with auDA in connection with the unauthorised transfers. 

Conclusion and orders

1. For the above reasons, the interlocutory injunctions ordered by Judd J on 22 April 2009 will be discharged.  There will be judgment for auDA in the proceeding.  I will hear the parties as to any other orders which may be necessary to give effect to these reasons for judgment, including any necessary declarations, and as to costs. 

---