1. About this Data Breach Policy 

1.1 This Data Breach Policy applies to agreements between Benchmark Global Pty Ltd or Benchmark Estimating Limited (trading as Benchmark Estimating Software) (Benchmark Estimating Software) and Benchmark Estimating Software’s clients referred to therein, but only where this Data Breach Policy is expressly referred to in any such agreement as being incorporated therein (each an Agreement). Terms used in this Data Breach Policy shall have the meanings given to them in the applicable Agreement, unless otherwise defined in this Data Breach Policy.

1.2. The purpose of this Data Breach Policy is to outline how Benchmark Estimating Software and the Client will approach actual, potential or suspected data breaches that may occur from time to time with respect to Personal Information ‘held’ by both Benchmark Estimating Software and the Client i.e that which is hosted by or on behalf of Benchmark Estimating Software under the Agreement (Jointly Held Personal Information). Benchmark Estimating Software’s policy is to investigate and properly address all suspected, actual or potential data breaches involving Jointly Held Personal Information to ensure that Benchmark Estimating Software’s legal obligations under the relevant laws are discharged.

1.3 A data breach is an eligible data breach if there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information, and a reasonable person concludes that the access, disclosure or loss is likely to result in serious harm to one or more individuals to whom the Jointly Held Personal Information relates, and the entity that held the Jointly Held Personal Information has not been able to prevent the likely risk of serious harm to any of the individuals with remedial action. All suspected, actual and potential data breaches involving Jointly Held Personal Information (each, a Breach) must be dealt with by each party on a case by case basis in accordance with this Data Breach Policy and that party’s legal obligations.

  1. Retention and Disclosure of Data Breach Records

2.1 Each party must retain all records and evidence concerning any suspected, actual or potential data breach involving Jointly Held Personal Information and upon request by the other party, must provide the other party with a copy of all such records and evidence in its possession or control.

  1. The Detecting Party must notify the other party of the Breach

3.1 If there is a Breach, the party that detects the Breach (Detecting Party) must immediately notify the other party of the Breach by email with full particulars of the Breach. The email addresses for the purposes of this clause are as follows:

Benchmark Estimating Software: peter.pavisic@benchmarkestimating.com

Client: As per the Agreement.

  1. Action the Detecting Party must take following a Breach

4.1 Upon the Detecting Party detecting the Breach, it must carry out the following actions:

(a) STEP 1: CONTAIN AND ASSESS THE DATA BREACH

The first action that must be taken in response to a suspected, actual or potential data breach is to firstly conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then contain the breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must immediately lock down any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. In some cases, it may be impossible to determine whether there has been a data breach, particularly where relevant records confirming the breach have been destroyed or are otherwise unavailable. Even so, the Detecting Party must immediately lock down any potential avenues for further data breaches. Similarly, the Detecting Party must do everything possible to prevent the data breach from occurring.  The Detecting Party is to engage all relevant IT, security and managerial personnel to contain any suspected or potential data breaches. Where an actual data breach has occurred, the Detecting Party must similarly engage all relevant IT, security and managerial personnel to contain the breach.

Once a Breach is properly contained, the Detecting Party must determine if a data breach has occurred. If the Detecting Party becomes aware of reasonable grounds that indicate that has been an eligible data breach, the Breach is required to be notified to the relevant individuals at risk of serious harm and the other party.

(b) STEP 2: NOTIFY INSURERS

The Client must promptly notify its insurers from which it has obtained Cyber Liability Insurance or any other relevant insurance policy (each a Policy) of the Breach, in accordance with the Policy. Benchmark Estimating Software must also promptly notify its Cyber Liability Insurance provider of the Breach.

(c) STEP 3: DETERMINE IF AN ELIGIBLE DATA BREACH HAS OCCURRED

For the purposes of this Data Breach Policy, an eligible data breach occurs if the following 3 criteria are satisfied:

  • there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
  • the Breach is likely to result in serious harm to one or more individuals; and
  • the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.

The Detecting Party should consider the above criteria when determining whether an eligible data breach has occurred. For the purposes of this Data Breach Policy, serious harm is deemed to have occurred or be likely to occur if a reasonable person would consider that it has so occurred or is likely to occur. Serious harm in the context of a Breach may include among other things serious psychological, physical, emotional, financial or reputational harm. Some of the matters that may inform a decision that serious harm has occurred include the sensitivity of the Jointly Held Personal Information that was the subject of the Breach, the type of Jointly Held Personal Information lost, accessed or disclosed, and whether the Jointly Held Personal Information was encrypted. 

If the Detecting Party suspects that a Breach may have occurred, it must take all reasonable steps to ensure that an assessment is completed expeditiously and in any event within thirty (30) days after it becomes aware of the reasonable grounds to suspect that there may have been an eligible data breach for the purpose of this Data Breach Policy. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party by email (to the address referred to in clause 3.1 of this Data Breach Policy if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.

(d) STEP 4: REMEDIAL ACTION

Where there is an eligible breach of jointly held information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where personal information is lost but the remedial action removes the likelihood of it causing serious harm, that the eligible data breach will be taken to have not occurred.

The parties agree that if a Breach occurs involving Jointly Held Information, the Client and Benchmark Estimating Software must each use their respective best endeavours to take positive steps to address the Breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm.

If Benchmark Estimating Software forms the opinion in its absolute discretion that the Client has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, and the breach is one that must be notified by applicable law, Benchmark Estimating Software may notify the Client that Benchmark Estimating Software requires the Client to notify the Breach pursuant to clause 5 of this Data Breach Policy (Notification Demand). If Benchmark Estimating Software issues a Notification Demand, the Client must notify all relevant individuals pursuant to clause 5 of this Data Breach Policy within twenty-four (24) hours of the Notification Demand (time being of the essence).

  1. Notification

5.1 If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of this Data Breach Policy(that has not been remedied in accordance with clause 4.1(d) of this Data Breach Policy), and the breach is one that must be notified by applicable law, the Client must:

(a) notify Benchmark Estimating Software; and

(b) notify relevant individuals of whom the Jointly Held Personal Data relates to, of the eligible data breach.