It has recently been alleged that the personal information of hundreds of CBUS members was leaked to a union boss as part of an industrial campaign. The allegations have been forwarded to the Australian Federal Police and the Australian Privacy Commissioner (Privacy Commissioner).
It is alleged that:
- a senior employee of CBUS leaked the names, birth dates, postal and email addresses, phone numbers, and superannuation contribution details of more than 400 members, most of who were not union members to the NSW Construction Forestry Mining and Energy Union (NSW CFMEU) branch secretary without their knowledge and consent;
- the information was used to help formulate an industrial campaign against an employer-sponsor that had been involved in litigation against the NSW CFMEU in several states;
- upon accessing the member details, the NSW CFMEU, telephoned and quizzed those members (who were employed by the one employer) about their entitlements to get them to put pressure on the company’s management; and
- in a small number of cases, the members were falsely told the call was being made on behalf of CBUS.
There is no evidence to suggest that the CBUS Board was aware of the breach, and CBUS has stated that the allegations are being investigated internally.
Thomson Geer Comment
These allegations are extremely serious and a number of commercial and legal issues arise as a result.
Commercially, CBUS will be concerned about the effect of the privacy breach on the 400 members and whether the allegations could lead to member leakage (or make potential members think twice about joining CBUS). The two main questions members would probably ask themselves are:
- “has this impacted my account balance”; and
- “what has been the effect of my personal information being leaked”. In this case, certain members may feel quite threatened by the fact that:
- someone unknown to them has their personal details and can contact or approach them (in this case, the members of a “militant union”) without the member being aware; and
- that they could be the victims of fraud.
Compounding the issue of member leakage (and potentially much more damaging to CBUS) will be whether the allegations may lead to standard employer-sponsors leaving the fund and/or potential standard employer- sponsors deciding to remain with or participate with an alternative fund, on the basis that the contributions they make into CBUS has the potential to expose them to union backlash and commercial pressure as well as exposing their employees’ personal information to unauthorised third parties.
CBUS states that it is carrying out an internal investigation. Further it will most likely have to write to its members and employer-sponsors, if for no other reason than to assure them that its privacy policies are robust and that no harm has occurred to any member’s account (or that the allegations are false, if this is correct). With 700,000 members, the expense of a mail-out will be quite large.
Added to this expense, the volume of calls, queries and complaints from members and employers, as a result of the allegations may rise. Further, if member passwords (for example) were leaked, CBUS (or its administrator) and its members may be required to change these.
CBUS would be subject to some form of reputation risk and potentially this could also cast a shadow over all Industry Funds having a number of effects:
- the allegations play into the hands of those who advocate Retail Funds or SMSFs:
- there will be sectors of the superannuation industry that will claim that “union-dominated” superannuation funds don’t act in the best interests of members (it is a very easy stick to point, despite the fact that equal representation rules exist);
- those selling SMSFs may now argue that SMSF members have complete control, not only over their investments but also their personal information; and
- it would make sense for Retail Funds (and their advocates) to use the CBUS allegations, where possible, to forward their cases for inclusion in Modern Awards;
- the allegations (unjustly) are likely to further fuel the independent director debate; and
- the allegations touch on many legal requirements, involving various separate regulators. The question that may arise from the allegations is whether there are adequate protections in place or whether superannuation funds require further oversight, leading to more costs for superannuation funds.
In this case, it is unlikely that the Privacy Act was breached because (we expect that) CBUS would have Privacy Act-compliant policies and procedures in place. Instead, a recalcitrant employee took steps to breach those policies and procedures.
We expect that CBUS would:
- have systems, processes and procedures to protect personal information;
- implement appropriate staff training; and
- take reasonable steps to restrict access to personal information only to those employees who require such access in order to fulfil their tasks and duties.
Assuming such practices are in place, it would be unlikely that the Privacy Commissioner would seek to investigate.
However, if CBUS had failed to have compliant policies and procedures in place, and this resulted in or exacerbated the leak, it would likely be in breach of the Privacy Act and could be liable to penalties of up to $1.7 million as a result of “serious interference” with members’ privacy.
It is worth noting that sections 183 and 184 of the Corporations Act do not only apply to a Board of Directors, but also to officers (those involved in decision-making) and employees. Under these provisions, officers and employees must not (by virtue of their position) obtain and improperly use information in order to gain an advantage for themselves or someone else (in this case, the NSW CFMEU).
A breach of these provisions can lead to penalties of up to $200,000 for individuals and $1 million for companies. If the breaches were deliberate (or, in some cases, reckless), such breaches are considered to be a criminal offence and individuals could be liable for penalties of up to $340,000 and/ or 5 years imprisonment.
APRA Prudential Standard SPS 220 - Risk Management requires trustees to maintain adequate systems and resources to ensure protection, security and privacy of confidential, personal and sensitive material. Further, SPS 231 - Outsourcing requires all material outsourcing agreements to contain provisions governing the confidentiality, privacy and security of information.
Therefore, if an employee of an outsourced service provider leaked the information (which appears not to have occurred in this case), CBUS would be reliant on the confidentiality and liability/indemnity provisions contained in its outsourcing agreement when taking action against the service provider (or the provider’s agents).
If APRA determines that a trustee has breached a Prudential Standard (and assuming this led to, assisted or failed to enable the trustee to mitigate, the breach) it has the power to impose further conditions on a trustee’s RSE Licence (and, in the process, advise ASIC of its actions).
Finally, if there was a loss to members and it could be shown that the loss was due to the CBUS Board failing to comply with its privacy and confidentiality obligations, potentially a class action might be instituted on the basis that CBUS and/or its Board failed to exercise the relevant degree of care, skill and diligence required under the SIS Covenants.
Standard-employer sponsor agreement
We are unsure whether the employer-sponsor in question is a standard employer-sponsor. If it is, questions would be raised as to whether there is any breach of the relevant standard-employer sponsor agreement and whether CBUS could be exposed to any form of liability and indemnity to the standard employer-sponsor for such a breach.
Dependent upon the terms of the Sponsorship Agreement between CBUS and the CFMEU, CBUS may have some recourse against it for any loss or damage caused by NSW CFMEU. However, given that Sponsorship provides Industry Funds with the benefits of promotion and support, CBUS would have to weigh up the benefits and costs of taking legal action against one of its major Sponsors.
There should be no doubt that CBUS would have robust compliance policies addressing its privacy and confidentiality requirements under the relevant law. However, no matter how good a trustee’s policies and procedures may be, sometimes a recalcitrant employee or associate may take unlawful steps that simply cannot be controlled. In this case, CBUS should be assessing whether the relevant employee breached the terms of his employment contract (most likely) and should have his employment terminated.
Therefore, in order to mitigate the risks of such breaches trustees must demonstrate that they have appropriate systems in place. From a Privacy perspective, trustees need to ensure they have:
- adopted practices, procedures and systems:
- that are designed to ensure that personal information is dealt with in accordance with the Australian Privacy Principles;
- which include the provision of appropriate training to employees regarding their obligations to maintain the security and confidentiality of personal and other confidential information;
- that allow any breaches of the Australian Privacy Principles to be speedily rectified and any loss or risk arising to be mitigated;
- that are designed to prevent and mitigate breaches by outsourced service providers; and
- ensuring that when a data breach occurs, affected individuals are notified where appropriate.