By strange confluence of events, 2022 is fast becoming the year of the high-profile defamation case.  Tech giants Google and Twitter, Hollywood stars Johnny Depp and Amber Heard, Australian politicians Peter Dutton and John Barilaro, decorated soldier Ben Roberts-Smith and the previously anonymous @PRGuy17 have all found themselves on one side or another of a defamation trial.  One of the most captivating of all has been the UK proceedings between Rebekah Vardy and Coleen Rooney, each wives to former English football stars. 

While we’ll leave the analysis of UK libel laws to others, the arguments at trial raise interesting questions as to when a person may be liable for activity on their online accounts when sharing their log-in credentials. 


The genesis of the proceedings dates back to 2019.  Coleen Rooney, embarrassed and frustrated that her private Instagram posts were finding their way to the British tabloids and gossip mags, took action.  She began sharing fake posts with smaller and smaller subsets of her followers (Instagram allows posts to be shared with limited groups but does not inform the viewers that access has been restricted).  Each time a story leaked, Rooney was able to narrow the field of suspects until a story shared with Rebekah Vardy (and only Vardy) found its way to the media. 

Rooney took to Instagram (this time to anyone who would listen) to reveal her discovery.  It soon went viral and earnt Rooney the moniker “WAGatha Christie”.  Vardy, despite Rooney’s evidence, vehemently denies the allegation and claims she never breached Rooney’s confidence.  This didn’t stop the social media pile-on and Vardy sued Rooney for defamation.

At trial, Rooney has defended the claim by arguing the defence of truth.  Vardy’s case is that although the information may have been accessed via Vardy’s account, Rooney is unable to prove that Vardy was actually the one leaking the information.  This is because Vardy gave her Instagram log-in details to her publicist (this was done for legitimate purposes, the publicist would schedule posts for Vardy).  Vardy claims that because Rooney didn’t know whether it was the publicist or Vardy doing the leaking – she had no basis for making the allegations that she did.  In an unfortunate turn of events (or conveniently, depending on your perspective), Vardy’s publicist lost her smart phone over the side of a ferry in the North Sea.  This may mean conclusive evidence as to who was sending Rooney’s posts to the tabloids may never be found.

Why do we care?

The case is likely to turn on the credibility of the witnesses and nuances of defamation law which we won’t be discussing here. 

However, what is interesting is Vardy’s argument that she wasn’t responsible for the actions of her publicist, whom she’d voluntarily provided access to her Instagram account.  What Vardy did in sharing her log-in details with her publicist is a relatively common practice.  It is common for people to share their log-in details with others whom they trust – depending on the context, typically this may include family members and work colleagues.  However, what happens where someone (we’ll call this person Xavier in our examples) empowers someone else (who we will call Yvonne) to act in Xavier’s name in one way or another? When can Xavier be held responsible for the actions of Yvonne?

Topic Scenario Outcome
Terms of Service Xavier gives Yvonne his social media log-in details and Yvonne uses the account in a way that breaches the social media platform’s terms of service.  For example, she publishes material which is offensive, which is not permitted on the social media platform.  While it will ultimately turn on the specific drafting of social media platform’s terms of service, most terms of service typically state that the registered user is responsible for any conduct under the user’s account.  Some even expressly prohibit the sharing of log-in details.  Accordingly, the social media platform would likely be able to exercise its rights under the terms of services, which may include suspending or terminating Xavier’s account.
Criminal conduct Xavier gives Yvonne his mobile phone password and Yvonne uses Xavier’s phone to commit a criminal offence, without Xavier’s knowledge.  For example, if Yvonne used the phone to menace or harass someone. It is an offence under the Commonwealth Criminal Code to use a carriage service to menace, harass or cause offence.  However, in this factual scenario, Yvonne is the one carrying out the elements of the offence, not Xavier.  It is unlikely that Xavier would have a case to answer, unless the next scenario applied.
Criminal conduct – accessory Same scenario as above but this time Xavier gave Yvonne his password knowing that she would use it to menace or harass someone. Under Australian criminal law, you can be held criminally liable if you aid, abet, counsel or procure an offence (although different formulations apply across the States and Territories).  The phrase ‘aid, abet, counsel or procure’ is read collectively and interpreted reasonably broadly to mean any encouragement or assistance to the commission of a crime.  Here, as Xavier has provided access to his phone knowing that Yvonne intended to use it to commit a crime, Xavier could be charged and convicted as an accessory. 
Electronic execution

Imagine now that Xavier and Yvonne are going into business together.  They apply for a loan and the bank sends the loan documentation to them electronically, for electronic execution. 

Xavier is leaving for a camping holiday and will be in a remote area when the loan documents are due to arrive, so he gives Yvonne his log-in details and tells her she can execute on his behalf.

The business soon fails and Yvonne files for bankruptcy.  The bank sues Xavier to recover the debt under the loan.  Is Xavier bound by the loan documents?

In this scenario, the steps taken by Xavier would indicate he has accepted the terms of the loan documents and therefore the consequences of non-repayment. 

He knew the loan documents were coming and has knowingly given Yvonne instructions to execute the loan on his behalf. 

It is likely that a court would readily find that he sufficiently provided his acceptance to the loan, or if necessary that he had appointed Yvonne as his agent to accept the contract.  Either way, he would be bound.
Electronic Execution – no consent

Twisting the scenario above slightly, what if Xavier and Yvonne are again in business together but Yvonne arranges the loan without Xavier’s knowledge. 

When the bank sends the loan documents for electronic execution, Yvonne accesses Xavier’s email account without his permission and executes on his behalf. 

This was the scenario in Marketlend Pty Ltd v Blackburn [2020] NSWDC 358.  There, two directors were required to execute loan documents jointly on behalf of their company, as well as to execute their own personal guarantees.  One director executed for themselves and then went on to execute as the other director without the other director’s knowledge.  They did so by accessing the other director’s email account, which was not secured by a password on the device used.

In that case, the court held that the director whose signature was applied fraudulently was not liable to repay the debts.  The lender had not sought or obtained evidence of independent legal advice and there was metadata which showed that the signature could not have been applied by the non-signing director (as that director could show they were in a different location from that which the metadata indicates). 

The same result was reached in Williams Group Australia v Crocker [2016] NSWCA 265 in a case where a director’s electronic signature was applied without his knowledge to a personal guarantee on a trade account.  In this case, the director had made their account details available to others in the office, but he had not specifically authorised the signing of the personal guarantee.  Metadata showed that his electronic signature was applied using a computer in his office, however, the director was not in the office on that day. 

Turning to our scenario, Xavier would have good grounds to argue that he shouldn’t be bound by the loan documents. 
Third party banking apps

Let’s start drawing a longer bow.

Say Yvonne operates a budgeting platform which accesses users’ online banking data in order to help with budgeting.  Yvonne’s platform requires users to provide their internet banking log-in details. 

Xavier wants to use Yvonne’s platform so he submits his log-in details.  Later, Yvonne’s platform is hacked and money is withdrawn from Xavier’s account.  Xavier tries to rely on a fraud guarantee from his bank.

This scenario was a major topic of conversation a few years ago.  Most large Australian banks provide fraud guarantees against losses due to unauthorised transactions on your online banking account.  When apps like Yvonne’s launched, the banks responded by saying that they wouldn’t honour the fraud guarantee because they couldn’t trust the cyber security controls of the third party apps.  The app providers countered saying that their security was as good as the banks and the banks’ concerns were misplaced.

Again, whether a bank’s fraud guarantee would respond in this scenario is a question of the specific drafting of the bank’s terms and conditions.  Most exclude coverage where individuals haven’t secured their log-in details.  Accordingly, Xavier may well find himself without coverage.

For completeness, we note these regimes are quickly becoming unnecessary with the introduction of the consumer data right.  For more, see here
Inadequate platform security

Staying on the theme of cloud platforms, now imagine that Xavier is operating some sort of business and Yvonne provides a cloud service which, among other things, stores confidential information of Xavier’s clients.

Yvonne’s platform has a bug, which means that the information supplied by Xavier is publicly accessible.

Here we will look at the rights of Xavier’s customers against both Xavier and Yvonne.

With respect to Xavier, the rights of his customers would ultimately depend on what he has agreed with those customers.  Xavier’s terms might be very “Xavier-friendly” and only impose limited confidentiality obligations or include broad exclusions or limitations of liability.  Alternatively, the terms might give the customers remedies against Xavier for any breach of confidence, such as the one that occurs here.

Even if there is no contract, customers have provided their information in circumstances where they would have a reasonable expectation of confidence from Xavier.  This may give rise to an equitable duty of confidence (see Moorgate Tobacco v Philip Morris (No 2) (1984) 156 CLR 414. The question would then become whether Xavier had met the standard of care required, or if he breached it by providing the data to Yvonne’s platform.  This would depend on a number of factors, such as the type of information, the impacts of disclosure and the diligence which Xavier conducted in relation to Yvonne’s platform, just to name a few. 

With respect to Yvonne, there is no contract between Xavier’s customers and her, so she doesn’t have to worry about claims for breach of contract.  She may, however, owe the customers a duty of confidence similar to what Xavier owed them, or may be faced by a claim for negligence.  Factors similar to those mentioned above would be relevant.
Property law

Now let’s move away from the tech world and consider a parallel example arising out of property law.

Imagine Xavier gives Yvonne the duplicate certificate of title for his house, (or, if it was a non-Torrens title jurisdiction, gives her the stack of every transfer deed for his property dating back to the original crown grant).  Yvonne then takes this documentation and deals with the asset, say by granting a lease or securing or mortgage (or even granting a profit à prendre).  Would the third party be able to enforce the newly created property right over Xavier’s land?

The question is reasonably straight forward under a Torrens title system and would turn on whether the interest has been registered.  Assuming the third party has successfully registered their interest (which would be achievable with the duplicate certificate of title and some forged signatures provided by Yvonne) and provided the third party had no involvement in Yvonne’s deception, the third party would receive indefeasible title upon registration and Xavier would be bound.  See, for example, Mayer v Coe [1968] 2 NSWR 747.

Even under a non-Torrens land system, Courts have held that because the holder of the transfer deeds had everything that they needed in order to deal with the property, an owner who voluntarily handed them over to another person would be bound by that person’s actions.  Again, the innocent third party would be able to enforce their newly acquired rights over Xavier’s property.  See Brocklesby v Temperance Permanent Building Society [1895] AC 173.


While we await the decision in Vardy v Rooney, the case serves as a timely reminder that, under Australia law, a person who provides their log-in details or similar (such as access to their email) to another person may be responsible for what that other person does, whether or not that other person is acting within the scope of their authority.  Care must be taken when deciding whether to share your log-in details with others.  Similarly, parties who are relying upon counterparties signing documents electronically should take additional steps to satisfy themselves that the counterparty they are dealing with is actually the person who is signing the documents.  Failure to do so risks a court finding that the contract was never validly executed and therefore doesn’t bind the purported counterparty. 


Authors: Amelia Harvey, Mark Ferguson, Andrew Hii 

Expertise Area