PageUp's security incident and the Notifiable Data Breaches Scheme
In late May 2018, Australian recruitment and human resources software company ‘PageUp’ suffered a suspected breach of its and its client’s data, exposing clients such as Commonwealth Bank and Wesfarmers (amongst others) to privacy and confidentiality risks. With Australia’s Notifiable Data Breaches Scheme coming into effect earlier this year, breaches such as this are of particular significance.
In this article, Partner Hayden Delaney and Special Counsel Steven Hunwicks discuss the Scheme, whether the PageUp security incident could be an “eligible data breach” under the Scheme, and shed light on the implications for PageUp and its clients.
The Scheme commenced on 22 February 2018 and requires organisations regulated by Australia's Privacy Act 1988 (Cth) (Privacy Act) to notify individuals at risk of serious harm due to a data breach. In the event of such a breach, organisations must also file a data breach statement and alert affected individuals as to the contents of the statement.
Not all data breaches are classed as "eligible data breaches" which require notification. An eligible data breach occurs where:
For instance, if a financial advisory firm realised that, due to an IT error, a database containing the personal information of its clients was made available online, then an eligible data breach may have occurred.
PageUp has reported detecting “unusual activity on its IT infrastructure” and indications that “client data may have been compromised”. Given the personal and sensitive nature of employment and recruitment information, it is possible that unauthorised access to, or disclosure of this information could result in serious harm to one or more people, which in turn, means that this is likely to be classified as an eligible data breach.
If an organisation believes it has experienced an eligible data breach, under the Privacy Act it is required to notify the affected individuals and the Australian Information Commissioner of the breach. There are certain exceptions to this, which are outlined below. However, where an organisation believes that it may have experienced a data breach, it must assess whether the data breach is likely to result in serious harm to any individual to whom the information relates. A ‘reasonable and expeditious’ assessment is required, generally within 30 days of becoming aware of the potential breach.
If the organisation's assessment determines an eligible data breach has occurred, then the organisation must provide the Commissioner with a data breach statement.
The data breach statement which must be provided is separated into two parts. The first is compulsory and must provide:
The second part of the statement is optional. The statement may include:
The organisation must provide the Commissioner with a copy of its data breach statement 'as soon as practicable' after becoming aware of the breach.
The organisation must also notify affected individuals about the contents of its data breach statement, or if this is not practicable, publish a copy of the statement on the organisation's website and take reasonable steps to publicise the contents of the statement.
Based on the limited information available to the public at present, it is likely that PageUp’s security incident may be an eligible data breach for certain organisations, which will fall within the operation of the Scheme.
The Scheme requires that the organisation with the most direct relationship with affected individuals must comply with the Scheme’s notification requirements, such as filing a data breach statement with the Commissioner and notifying affected individuals as to the contents of that statement. As such, if PageUp’s clients assess the PageUp security incident to be an eligible data breach, they will need to give the required notices.
For clients of PageUp, the security incident brings with it a number of issues, including:
If you are concerned about how PageUp’s security incident may affect you or your organisation, and wish to protect yourself from associated risks and ensure your organisation complies with its obligations under the Scheme, please contact our team of data breach and privacy experts.