1. About this Data Breach Policy

1.1 This Data Breach Policy forms part of the SAAS Services Agreement between Benchmark Global Pty Ltd trading as Benchmark Estimating Software and the Client referred to therein (“SAAS Services Agreement“). Terms used in this Data Breach Policy shall have the meanings given to them in the SAAS Services Agreement, unless otherwise defined in this Data Breach Policy.

1.2 The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Law) that came into effect on 22 February 2018 established a Notifiable Data Breaches Scheme that requires among other things, certain entities to assess suspected data breaches and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm and the Australian Information Commissioner. The purpose of this Data Breach Policy is to outline how Benchmark Estimating Software and the Client will approach actual, potential or suspected data breaches that may occur from time to time with respect to Personal Information ‘held’ by both Benchmark Estimating Software and the Client (Jointly Held Personal Information). For the purposes of this Data Breach Policy, the word ‘held’ (and other forms of that word) has the meaning that ‘held’ is given in the Privacy Act. Benchmark Estimating Software’s policy is to investigate and properly address all suspected, actual or potential data breaches involving Jointly Held Personal Information to ensure that Benchmark Estimating Software’s legal obligations under the NDB Law are discharged.

1.3 Under the NDB Law, eligible data breaches are notifiable. A data breach is an eligible data breach for the purposes of the NDB Law if there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information, and a reasonable person concludes that the access, disclosure or loss is likely to result in serious harm to one or more individuals to whom the Jointly Held Personal Information relates, and the entity that held the Jointly Held Personal Information has not been able to prevent the likely risk of serious harm to any of the individuals with remedial action. All suspected, actual and potential data breaches involving Jointly Held Personal Information (each, a Breach) must be dealt with by each party on a case by case basis in accordance with this Data Breach Policy and that party’s legal obligations.

2. Retention and Disclosure of Data Breach Records

2.1 Each party must retain all records and evidence concerning any suspected, actual or potential data breach involving Jointly Held Personal Information and upon request by the other party, must provide the other party with a copy of all such records and evidence in its possession or control.

3. The Detecting Party must notify the other party of the Breach

3.1 If there is a Breach, the party that detects the Breach (Detecting Party) must immediately notify the other party of the Breach by email with full particulars of the Breach. The email addresses for the purposes of this clause are as follows:

Benchmark Estimating Software: david.power@benchmarkestimating.com

Client: The Client’s Email Address entered in Item 10 of Schedule 1 of the SAAS Services Agreement

4. Action the Detecting Party must take following a Breach

4.1 Upon the Detecting Party detecting the Breach, it must carry out the following actions:

(a) STEP 1: CONTAIN AND ASSESS THE DATA BREACH

The first action that must be taken in response to a suspected, actual or potential data breach is to firstly conduct a preliminary assessment and/or investigation to determine whether or not there has been a data breach or whether one is likely to occur, and then contain the breach to prevent further unauthorised access or disclosure or loss of information. If the Detecting Party is aware of reasonable grounds for suspecting a Breach occurred, the Detecting Party must immediately lock down any potential avenues for further similar data breaches whether or not it is ultimately proven that a suspected data breach actually occurred. In some cases, it may be impossible to determine whether there has been a data breach, particularly where relevant records confirming the breach have been destroyed or are otherwise unavailable. Even so, the Detecting Party must immediately lock down any potential avenues for further data breaches. Similarly, the Detecting Party must do everything possible to prevent the data breach from occurring.  The Detecting Party is to engage all relevant IT, security and managerial personnel to contain any suspected or potential data breaches. Where an actual data breach has occurred, the Detecting Party must similarly engage all relevant IT, security and managerial personnel to contain the breach.

Once a Breach is properly contained, the Detecting Party must determine if a data breach has occurred that requires notification under the NDB Law. The NDB Law requires that only eligible data breaches must be notified. If the Detecting Party becomes aware of reasonable grounds that indicate that has been an eligible data breach, the Breach is required to be notified to the relevant individuals at risk of serious harm and the Australian Information Commissioner.

(b) STEP 2: NOTIFY INSURERS

The Client must promptly notify its insurers from which it has obtained the Cyber Liability Insurance policy (Policy) referred to in the SAAS Services Agreement, of the Breach, in accordance with the Policy. Benchmark Estimating Software must also promptly notify its Cyber Liability Insurance provider of the Breach.

(c) STEP 3: DETERMINE IF AN ELIGIBLE DATA BREACH HAS OCCURRED

For the purposes of the NDB Law and this Data Breach Policy, an eligible data breach occurs if the following 3 criteria are satisfied:

  • there is unauthorised access to or unauthorised disclosure of Jointly Held Personal Information, or a loss of Jointly Held Personal Information;
  • the Breach is likely to result in serious harm to one or more individuals; and
  • the Detecting Party has not been able to prevent the likely risk of serious harm with remedial action.

The Detecting Party should consider the above criteria when determining whether an eligible data breach has occurred. For the purposes of the NDB scheme, serious harm is deemed to have occurred or be likely to occur if a reasonable person would consider that it has so occurred or is likely to occur. Serious harm is not defined in the Privacy Act, but in the context of a Breach it may include among other things serious psychological, physical, emotional, financial or reputational harm. Some of the matters that may inform a decision that serious harm has occurred include the sensitivity of the Jointly Held Personal Information that was the subject of the Breach, the type of Jointly Held Personal Information lost, accessed or disclosed, and whether the Jointly Held Personal Information was encrypted. 

The NDB Law requires entities subject to the Privacy Act to investigate suspected eligible data breaches when they are aware that there are reasonable grounds to suspect that there may have been an eligible data breach but the entity is not aware whether or not there has been an actual eligible data breach. The NDB Law requires such entities to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity. Therefore, if the Detecting Party suspects that a Breach may have occurred, it must take all reasonable steps to ensure that an assessment is completed expeditiously and in any event within thirty (30) days after it becomes aware of the reasonable grounds to suspect that there may have been an eligible data breach for the purpose of the NDB Law. The Detecting Party must keep the other party informed at all times while the Detecting Party is undertaking any assessment of a suspected eligible data breach, and must notify the other party by email (to the address referred to in clause 3.1 of this Data Breach Policy if the Detecting Party becomes aware of reasonable grounds that indicate that an actual eligible data breach has occurred with full particulars of the eligible data breach.

(d) STEP 4: REMEDIAL ACTION

Under the NDB Law, where there is an eligible breach of jointly held information, a party must use its best endeavours to take positive steps to address the eligible breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. In circumstances where personal information is lost but the remedial action removes the likelihood of it causing serious harm, the NDB Law provides that the eligible data breach will be taken to have not occurred.

The parties agree that if a Breach occurs involving Jointly Held Information, the Client and Benchmark Estimating Software must each use their respective best endeavours to take positive steps to address the Breach in a timely manner, which results in the eligible data breach not being likely to cause serious harm. Each party must keep the other party informed at all times while that remedial action is being undertaken, and must notify the other party if the remedial action has removed the likelihood of the Breach causing serious harm.

If Benchmark Estimating Software forms the opinion in its absolute discretion that the Client has not completed an expeditious assessment of the Breach and/or has not expeditiously carried out remedial action that may result in the Breach not being likely to cause serious harm, Benchmark Estimating Software may notify the Client that Benchmark Estimating Software requires the Client to notify the Breach pursuant to clause 5 of this Data Breach Policy (Notification Demand). If Benchmark Estimating Software issues a Notification Demand, the Client must notify all relevant individuals and the Office of the Information Commissioner pursuant to clause 5 of this Data Breach Policy within twenty-four (24) hours of the Notification Demand (time being of the essence) notwithstanding that clause 5 may require the notifications to be issued within a different period of time.

5. Notification

5.1 If an eligible data breach of Jointly Held Personal Information has occurred for the purposes of the NDB Law (that has not been remedied in accordance with clause 4.1(d) of this Data Breach Policy), the Client must as soon as possible:

(a) notify the Commissioner of the eligible data breach; and

(b) notify relevant individuals of whom the Jointly Held Personal Data relates to of the eligible data breach,

in accordance with the NDB Law.