In late May 2018, Australian recruitment and human resources software company ‘PageUp’ suffered a suspected breach of its and its client’s data, exposing clients such as Commonwealth Bank and Wesfarmers (amongst others) to privacy and confidentiality risks. With Australia’s Notifiable Data Breaches Scheme coming into effect earlier this year, breaches such as this are of particular significance.

In this article, Partner Hayden Delaney and Associates Steven Hunwicks and Verity Stone discuss the Scheme, whether the PageUp security incident could be an “eligible data breach” under the Scheme, and shed light on the implications for PageUp and its clients.

What is the Scheme?

The Scheme commenced on 22 February 2018 and requires organisations regulated by Australia's Privacy Act 1988 (Cth) to notify individuals at risk of serious harm due to a data breach. In the event of such a breach, organisations must also file a data breach statement and alert affected individuals as to the contents of the statement.

What is an eligible data breach?

Not all data breaches are classed as "eligible data breaches" which require notification. An eligible data breach occurs where:

  • there is unauthorised access to, disclosure of, or loss of personal information held by an entity;
  • it is likely to result in “serious harm” to one or more people; and
  • the entity has not been able to reduce this risk of “serious harm”.

For instance, if a financial advisory firm realised that, due to an IT error, a database containing the personal information of its clients was made available online, then an eligible data breach may have occurred.

PageUp has reported detecting “unusual activity on its IT infrastructure” and indications that “client data may have been compromised”. Given the personal and sensitive nature of employment and recruitment information, it is possible that unauthorised access to, or disclosure of this information could result in serious harm to one or more people, which in turn, means that this is likely to be classified as an eligible data breach.

When must a suspected data breach be assessed?

If an organisation believes it has experienced an eligible data breach, under the Privacy Act it is required to notify the affected individuals and the Australian Information Commissioner of the breach. There are certain exceptions to this, which are outlined below. However, where an organisation believes that it may have experienced a data breach, it must assess whether the data breach is likely to result in serious harm to any individual to whom the information relates. A ‘reasonable and expeditious’ assessment is required, generally within 30 days of becoming aware of the potential breach.

If the organisation's assessment determines an eligible data breach has occurred, then the organisation must provide the Commissioner with a data breach statement.

What needs to be included in a data breach statement?

The data breach statement which must be provided is separated into two parts. The first is compulsory and must provide:

  • the organisation or company name, the organisation's contact details, and any trading name;
  • a description of the breach;
  • a description of the kind of information involved; and
  • recommendations for the affected individuals as to what steps they should take in response to the breach.

The second part of the statement is optional. The statement may include:

  • if the breach affected more than one entity, the identity and contact details of the other entities involved;
  • the date/s when the breach occurred and when it was discovered;
  • descriptive information, such as the cause of the breach and how it occurred;
  • the number of individuals whose personal information is involved; and
  • details of the actions undertaken by the organisation to assist affected individuals and to prevent further breaches.

The organisation must provide the Commissioner with a copy of its data breach statement 'as soon as practicable' after becoming aware of the breach.

The organisation must also notify affected individuals about the contents of its data breach statement, or if this is not practicable, publish a copy of the statement on the organisation's website and take reasonable steps to publicise the contents of the statement.

Implications for PageUp and its clients

Based on the limited information available to the public at present, it is likely that PageUp’s security incident may be an eligible data breach for certain organisations, which will fall within the operation of the Scheme.

The Scheme requires that the organisation with the most direct relationship with affected individuals must comply with the Scheme’s notification requirements, such as filing a data breach statement with the Commissioner and notifying affected individuals as to the contents of that statement. As such, if PageUp’s clients assess the PageUp security incident to be an eligible data breach, they will need to give the required notices.

For clients of PageUp, the security incident brings with it a number of issues, including:

  • the importance for organisations to have their contracts (if using cloud service providers) carefully reviewed by lawyers who are experienced in ICT, privacy and data security;
  • the necessity for boards and senior management to understand and manage the privacy and security risks within their organisation;
  • exposure of personal information of current employees and job seekers;
  • assessing whether a risk of serious harm exists, and consequently whether an “eligible data breach” has occurred;
  • if an “eligible data breach” has occurred, compliance with the necessary notification requirements;
  • business impacts, including the risk of reputational harm and the financial costs of implementing business continuity plans or work-arounds; and
  • possible civil claims from affected individuals.