Security Market Segment LS
Monday, 23 July 2018 11:35

PageUp breach secrecy may be to set precedent: expert Featured

Helaine Leggat: "If too much information is made public, it does not help in an investigation." Helaine Leggat: "If too much information is made public, it does not help in an investigation." Supplied

Australian authorities may have decided not to fully disclose details of the data breach at human resources outfit PageUp People as it is the first major breach to be revealed, and the processes followed could set a precedent for others that follow, an expert in cyber security and law says.

Helaine Leggat, head of cyber law at Sladen Legal, told iTWire in response to queries that the Department of Home Affairs and other Australian authorities may have decided to practice "security through obscurity".

Since 19 June, PageUp People has kept mum about the breach, having revealed very little about it prior to that as well, after first breaking the news of the breach on 6 June. The company has said it first noticed the intrusion on 23 May.

Leggat pointed out that in the US, from as early as 2015 after the promulgation of the Cybersecurity Information Sharing Act (CISA Legislation), "the authorities, including LEA (Law Enforcement) were saying that the victims of crime should not be punished. I have heard (Australian Cyber Security Centre chief Alastair) MacGibbon say the same thing here in 2018".

MacGibbon has gone on the record describing PageUp as being effectively "victimised" as a result of having to out itself to Australian customers before it even knew for certain there was a problem.

Leggat said there could be many reasons why the authorities were keeping quiet and protecting PageUp People.

"We are no doubt dealing with crime/criminal organisations wrt the breach," she said. "The UK authorities are also involved. Remember, there are Mutual Co-operation laws where countries like Australia and the UK agree to work together to assist one another. If too much information is made public, it does not help in an investigation."

She pointed out that in the case of the Singapore Privacy Law, there was no obligation to report a breach.

Asked whether there was a requirement for PageUp to provide full details of the breach to the public, Leggat said there were various provisions of the law that gave authorities an out.

She said she suspected that "full disclosure in this case will not be helpful to Australian interests in the fight against crime".

But Leggat said that "from a trust and company risk/reputation point of view, one would think that PageUp People would want to communicate more frequently. (I recommend Crisis Communications Policies, among other things).

"It is complex and we do not have the answers. Bear in mind the broader aspects of privacy. While Australia does not have a Tort (private action) of privacy, it does recognise privacy as a human and civil right – Refer to the Preamble of the Privacy Act 1988.

"There are all sorts of legal causes of action that can arise in a case such as this, including, contractual actions (PageUp with its clients, service providers etc), Breach of Confidence, negligence, shareholder actions etc. The biggest mistake people are making is to look narrowly at the NDB Scheme."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments