What happens when a mailout goes horribly wrong – and then the data breach notification is worse
The release earlier this month of the OAIC’s 2023 Community Attitudes to Privacy Survey has revealed that in the prior 12 months, 47% of adult Australians had been notified by an organisation that their data had been involved in a data breach.
Not surprising, given the scale of the Optus, Medibank and Latitude Financial data breaches.
But while we wait for the repercussions of those mega-breaches to play out through the OAIC’s investigations and class actions before the courts, a less publicised large data breach by a NSW government agency has already resulted in the first compensation payout.
Whether you look at the federal Privacy Act, or the new NSW mandatory notifiable data breach scheme, simply suffering a data breach is not of itself considered an ‘interference with privacy’, such as to trigger the right for individuals to make a privacy complaint, or seek compensation. Under the Privacy Act for example, the new $50 million fines can’t be levied simply because a data breach has occurred. However those enormous penalties could come into play if the notification to affected customers of a data breach tips them off to poor practices, and customers then complain about a breach of the Data Security privacy principle. That is exactly what happened in this case.
The NSW Civil and Administrative Tribunal (NCAT)’s autopsy of what happened, both before and after a data breach, offers lessons for organisations of any type. The nature of the conduct that was found in breach of the data security principle, how the data breach was notified to affected individuals, the size of the compensation payout and other remedies ordered, are all of interest.
The breach: a simple error snowballs
It’s not the most exciting of case names, but FMM v Nominal Insurer  NSWCATAD 114 arose out of a data breach affecting almost 200,000 people. The data breach was not the result of criminal conduct such as hacking or phishing, but a combination of factors. NCAT described it as human error leading to system failure, but in my view it reflects an under-investment in privacy protection in the design of systems for handling and sharing high-value personal information.
icare manages the workers compensation scheme in NSW, on behalf of the Nominal Insurer. For employers over a certain size, it was icare’s practice to provide a monthly report to each employer about the status of all workers compensation claims affecting that employer. The monthly ‘cost of claims’ reports were in the nature of a spreadsheet, which included personal information about injured workers at that workplace. The information included each worker’s name, date of birth, gender, description of occupation, date of injury, nature of the injury or disease, working days lost, whether liability was accepted or declined, weekly compensation payment amount, and gross amount paid on the claim.
Somewhat incredibly, these reports were simply emailed to employers (or their insurance brokers), every month. They were not encrypted. They had no password protection. There was no de-identification of the data.
As we will see, NCAT described this system for sharing personal information with employers as “a very serious contravention” of the Data Security principles in NSW privacy law, IPP 5 and HPP 5.
In April 2022, someone in the data and analytics team at icare was transcribing the master distribution list for these reports, from one excel spreadsheet to another. (Why they were doing this was not explained in NCAT’s judgment.) They made an error, and the data extract was pasted one row down into the new spreadsheet. This resulted in a “misalignment” between the policy number of the employer, and the email address to which the corresponding report should be sent. The policy number was the key used to identify and extract the relevant claims data for each monthly report.
This error occurred at the top of the distribution list, and therefore affected every record. The error was not picked up, and the April reports were emailed out. As a result, 572 recipients were sent the wrong cost of claims report. The number of injured workers whose records were contained in the reports sent to the wrong people was 191,870.
The breach response
Compounding the errors made which led to the data breach in the first place, icare then made some errors in the way it handled the data breach.
icare were notified of the distribution error and begin their data breach response process. Three days later they emailed the recipients of the reports asking them to delete the reports that they had received. Within the next month or so, affected workers were notified about the data breach.
Considering the potential impact on workers with open claims for psychological injuries, icare determined not to notify that particular subset of affected individuals. (At the time of the breach, NSW public sector agencies were covered by a voluntary notifiable data breach scheme. The mandatory scheme will commence on 28 November 2023.)
However somehow, these particularly vulnerable individuals were also sent the data breach notification, in error. FMM was one of those individuals: her workers compensation claim related to psychological injuries including anxiety and depression.
(I will note as a side issue that this is an incredibly difficult issue for organisations to manage. If you decide not to notify some affected individuals of a data breach because you are worried about those individuals suffering harm triggered by the notification, but then they found out through the media anyway, you could be left in an even worse position: being accused of a cover-up. You should instead think about additional procedures for contacting particularly vulnerable individuals, in a more tailored and delicate way.)
FMM was sent a letter by email on 30 May, which stated that “icare inadvertently forwarded a report containing a limited amount of information relating to your workers compensation claim to another employer, who should not have received it”. The data involved in the breach was described in the letter to FMM as “limited information” such as her “name, date of birth and injury category”, and also reassured her that the data “does not contain personal financial information or contact details”.
FMM immediately replied asking how the data breach happened and what was the “limited information” that was disclosed. She also launched a privacy complaint by way of an internal review application on the same day. (An ‘internal review’ application is the first step by which privacy complaints against NSW public sector agencies can make it to NCAT for external review.) The initial reply to FMM repeated the same information; it did not elaborate any further on either the cause of the data breach, or the extent of the personal information that had been disclosed.
The later internal review report from icare noted that in her case the report had gone to an insurance broker for a different employer, who had assured icare that he had deleted the report without reading it. icare admitted the unauthorised disclosure that arose from the data breach, and issued an apology, but claimed that there were no consequences for FMM from the data breach, because the recipient had not read the contents of the report containing her personal information.
The complaint heads to the Tribunal
FMM exercised her right to seek further review in NCAT, claiming that her injuries had been exacerbated by the data breach. She claimed breaches of IPP 5 (the Data Security principle), and IPP 11 (the Disclosure principle), and the HPP equivalents for health information.
Disturbingly, NCAT also noted that when FMM issued a summons as part of her privacy proceedings, seeking a copy of her information as disclosed in the data breach, she was accidentally given an unredacted copy of the entire cost of claims report, containing the details of all the other injured workers at her former workplace as well. However since the conduct of the litigation before NCAT does not form part of the ‘conduct’ under review by NCAT, any further distress or harm caused by the second inadvertent disclosure could not be taken into consideration in this case.
Downplaying the breach
NCAT was scathing of the language used in the data breach notification to FMM: “A striking feature of the agency’s subsequent handling of the disclosure of the applicant’s personal and health information has been its attempt to minimise the extent of the disclosure”. NCAT mentioned in particular the misleading claim that no personal financial information had been disclosed, and described the actual financial information disclosed, being weekly payment amounts and the gross amount paid on the claim, as “highly sensitive information”.
NCAT also noted that in communications with the applicant and elsewhere, icare had described the information disclosed as “very limited”, “high level”, a “summary” or an “overview” of claims information. NCAT was unimpressed, describing the combination of the applicant’s identity details with “a summary of (her) mental health condition and disability” as “highly sensitive”.
Was there a disclosure?
Once before NCAT, icare resiled from their earlier admission of an unauthorised disclosure. They claimed that there had been no ‘disclosure’ of FMM’s personal information, because the insurance broker attested that he had deleted the report without reading it.
However NCAT disagreed, noting that the fact that the insurance broker did not read the report does not mean it was not disclosed to him: “The applicant’s personal and health information was put in (his) possession and placed under his control. He could have done anything with it … The fact that (he) acted ethically by deleting the applicant’s personal and health information without reading it does not ‘cure’ its unlawful disclosure to him”.
NCAT therefore found that there was an unauthorised disclosure in breach of the Disclosure principles.
The next issue to be determined was whether there had also been a breach of the Data Security principles. NCAT followed earlier decisions such as CHY v Family and Community Services and BE v UTS, in noting that the mere fact of an unauthorised disclosure does not automatically lead to a finding that there has been a breach of the Data Security principle.
It also follows that there can be a breach of the Data Security principle even if there was no unauthorised disclosure, or, as was the case for FMM, even if the unauthorised disclosure did not actually lead to a recipient receiving the information, let alone making use of it to cause harm.
Potential consequences dictate ‘reasonable steps’
NCAT noted that the potential consequences of the disclosure were very serious, both “viewed generally”, and in the applicant’s particular case. Noting that the applicant had a psychological injury which was the subject of her workers compensation claim, NCAT stated that the disclosure of FMM’s information could have “grave consequences in terms of her privacy and identity security”.
NCAT also found that the fact that the recipient of FMM’s information never read the report did not operate to reduce the seriousness of the potential consequences of the disclosure.
Because the data security principle is all about taking reasonable steps to prevent loss, misuse or unauthorised disclosure; and what will be considered ‘reasonable’ depends on the potential consequences of harm if the information was to be lost, misused or accessed without authority; then as NCAT noted, whether or not there has been a breach of the data security principle relates to the potential consequences of its disclosure, not the actual consequences.
NCAT found that the delicate nature of the information contained about each individual in the monthly reports “weighs heavily for robust security safeguards to protect it. … The potential for unlawful disclosure of personal and health information in an exercise of this scale calls for stringent security safeguards to minimise this risk”.
What is not a reasonable safeguard?
As already mentioned, icare was not using any de-identification, encryption or password protection at the time of the data breach.
NCAT reviewed the data security safeguards that were in place in relation to the monthly reports at the time of the data breach, and stated succinctly: “They do not impress”.
A method of checking a sample of files was described by NCAT as “wholly inadequate”. icare argued that one of its data security safeguards was that all staff attended mandatory privacy training, but NCAT described this as “a very weak safeguard against the systems failure that led to the disclosure”. A disclaimer was also described as a “relatively weak security safeguard”, in particular because the disclaimer was embedded in the report itself; so the recipient had to open the report sent to them in error, in order to read the disclaimer telling them not to read any information sent to them in error.
Finally, NCAT placed little weight on the fact that the recipients of the reports had privacy and confidentiality obligations under legislation and/or contract, which should operate to prevent anyone from misusing the information sent to them in error, because the agency’s responsibility to have reasonable security safeguards “cannot be delegated in this way”.
As a result, NCAT found a breach of the Data Security principles.
What caused the harm: the breach, or the notification about the breach?
In this case, the realisation that the agency charged with looking after injured workers had failed in its duty to protect the privacy and security of her information, along with thousands of other injured workers, is likely what caused further harm to FMM.
This is an important point, when you consider the imminent introduction of a mandatory notifiable data breach scheme in NSW, and the existing scheme under the federal Privacy Act. If your organisation is covered by one of those schemes, and you suffer a data breach, you must by law notify affected individuals, if the breach is likely to result in serious harm to those individuals. But even if the personal information lost, accessed or disclosed in the data breach did not itself then go on to cause the individual any harm (for example, even if the individual did not then suffer identity theft or similar harms), the affected individuals have now been tipped off about the data breach.
They can then bring a privacy complaint, to NCAT or to the OAIC as the case may be, to the effect that it was your organisation’s failure to take reasonable steps to prevent the data breach from happening, which constitutes a breach of privacy law. Importantly, the loss of trust that results from receiving that notification, and the realisation that your organisation has failed to protect the affected individuals – well, that loss of trust may be the thing that triggers the individual harm, especially for individuals who have a pre-existing psychological condition.
This could be a real sleeper issue for organisations. Looking at the latest survey results from the OAIC, of the Australians who had been caught up in a data breach in the previous 12 months, 12% said they experienced significant “emotional or psychological harm” – slightly more than those who experienced the harms that were more ‘expected’ and held media attention, such as financial or credit fraud (11%) or identity theft (10%).
In this case, FMM produced two medical reports in support of her claim for damages for psychological injury, from her long-term treating psychologist and psychiatrist. NCAT was satisfied that FMM had a pre-existing chronic condition including major depression with panic attacks and agoraphobia; and that, as a result of learning about the disclosure of her personal information in the data breach, she experienced an exacerbation of symptoms with stress levels heightening to panic proportions, and the emergence of suicidal thoughts.
NCAT was satisfied that the disclosure of her personal information directly caused an acute exacerbation of her pre-existing mental health condition and psychological injury, and that that exacerbation “was triggered by the applicant being informed of the disclosure”.
Importantly, while it was the notification of the data breach which triggered the harm to the individual in this case, NCAT determined that the underlying cause was the failure to implement data security safeguards, which led to the data breach and the unauthorised disclosure of FMM’s personal information.
NCAT found it “clear” that icare was liable for any damage the applicant suffered because of the exacerbation of her symptoms by its conduct, notwithstanding her pre-existing condition.
Compensation and the eggshell psyche rule
NCAT quoted EPT v The Sydney Children’s Hospital Network to note that “with respect to psychological injury there an ‘eggshell psyche’ principle which, like the equivalent ‘eggshell skull’ principle, is a rule of compensation not of liability”.
In other words, when determining compensation, NCAT should look to the impact the conduct had on the actual applicant, “rather than speculate how it might have impacted on (a) theoretical person”.
NCAT found that the impact of the conduct on FMM had been “extreme”, resulting in “an ongoing risk to her life” due to suicidal thoughts. It was also having a severe negative impact on the quality of her life, in particular interrupting her recovery trajectory from her pre-existing injury. FMM was awarded $20,000 in damages for non-economic loss.
(NSW privacy law has a statutory compensation cap of $40,000 – an amount which has not changed in the 25 years since the law was drafted.)
But wait there’s more
While noting that the conduct was not malicious, NCAT described the data breach as “a most serious system failure which is attendant upon wholly inadequate security safeguards”.
When determining additional remedies, NCAT repeated its concern that icare had tended to minimise the nature of the data breach, and stated “in this respect, the agency’s conduct was reprehensible, particularly given that it is responsible for the protection of the personal and health information of vulnerable people, being injured workers”.
This case is notable for the degree of attention paid by NCAT to the manner in which the personal information was, and was proposed to be in the future, protected by the agency. In particular, NCAT reviewed what icare had put in place since the data breach, and what was planned for the future. NCAT’s conclusion was that the agency was not doing enough to prevent another breach of the same type, and thus their data security remained “inadequate” and “not reasonable”, having regard to the requirements of the Data Security principles.
As a result, NCAT made some fairly extraordinary orders, in terms of deciding exactly what they should be implementing instead.
NCAT ordered icare to ensure that within six months it had implemented password protection and encryption of the reports, and had available two senior personnel to manually cross check every report. However of greater impact, NCAT ordered that within 13 months icare must replace the entire system of emailing monthly reports, with a secure online employer portal, which would require authorised users to authenticate their identity and log in, to download reports instead.
Lessons to be learned
Let the cost implications of this case sink in for a moment.
One person out of almost 200,000 affected individuals was awarded $20,000 compensation. There might be many more who will now line up for something similar, although NCAT did note that this particular applicant’s degree of harm was extreme.
But the implications are not just about the cost of compensation payouts; being required to introduce a whole new way of managing data sharing will, I suspect, be a far more significant cost impost on the agency.
This case should be a wakeup call for any organisation which shares personal information by email at scale. It’s not as cyber-sexy as talking about hackers, but in report after report from the OAIC, we see that the single most frequent cause of data breaches is emailing personal information to the wrong recipient, or – as was the case in the recent disastrous data breach impacting the Police Service of Northern Ireland – including information in attachments to emails which should not be there.
If your organisation is still sharing records containing information about identifiable individuals by email at scale, you should move now to implement a more secure method for transmitting records, in order to prevent a data breach.
But if you do suffer a data breach, don’t downplay or misrepresent the nature of the breach to affected individuals; and handle particularly vulnerable individuals with the care and respect they deserve.
November 2023 update:
This case is now under appeal. Like the more than 575 NSW privacy cases decided since 2001, implications and insights will be added to our annotated guide to the NSW privacy laws, PPIPA in Practice, as new cases are published every quarter.
We also have pragmatic resources like a Checklist of Common Privacy Risks and Controls, and a Template Data Breach Response Plan tailored for different sectors, in our Compliance Kits – see which package of resources best suits you.
Photograph © iStock