In a landmark decision, the Federal Court has ordered Australian Clinical Labs to pay $5.8 million in civil penalties under the Privacy Act 1988 (Cth) (Privacy Act) – the first time such penalties have been enforced through the courts. The case marks a decisive shift towards stronger privacy enforcement and highlights the serious consequences for organisations that fail to protect personal information.
Need to know:
- The Australian Information Commissioner has demonstrated a willingness to pursue substantial civil penalties for privacy breaches, including data breaches.
- The decision clarifies what constitutes “reasonable steps” to protect personal information and “reasonable and expeditious” data breach assessments.
- The amount of penalties awarded was determined under an earlier civil penalty regime. The current maximum penalties for serious privacy breaches are now to up to $50 million, three times the benefit of the breach, or 30% of adjusted turnover during the relevant period.
Background: Australian Clinical Labs data breach
In a first, the Australian privacy regulator has successfully enforced the payment of $5.8 million in civil penalties under the Privacy Act through the Federal Court. Following an investigation by the Office of the Australian Information Commissioner into Australian Clinical Lab’s 2022 data breach, a cyber-attack which impacted 223,000 individuals, the Commissioner commenced Federal Court proceedings for orders to confirm an in-principle settlement reached between the Commissioner and Australian Clinical Labs, including the amount of the civil penalties payable.
The Federal Court decision provides important clarification and regulatory certainty for Australian organisations with respect to their data breach response and security obligations, as well as the calculation of civil penalties under the Privacy Act.
But perhaps more importantly, the decision signals a shift towards a more assertive enforcement strategy for the Australian Information Commissioner and highlights the serious consequences for regulated entities that fail to protect the personal information they hold.
Key takeaways for Australian organisations
While the interpretation of the Privacy Act by the Federal Court is not surprising (in that it aligns with regulatory guidance and privacy best practice), it provides much-needed clarification and regulatory certainty for Australian organisations on key provisions of the Privacy Act.
- What are “reasonable steps” for the protection of personal information?
Under Australian Privacy Principle (APP) 11.1(b), regulated entities are required to take reasonable steps to protect personal information from “unauthorised access, modification or disclosure”.
The Court has confirmed regulatory guidance on the meaning of “reasonable steps” under APP 11. That is, whether steps are “reasonable” is an objective question informed by the surrounding circumstances (including the sensitivity of personal information, potential harm to individuals if the information is accessed or disclosed, the size and sophistication of the regulated entity, the cybersecurity environment, and any previous threats or attacks against the entity).
For Australian Clinical Labs, the data breach resulted in the unauthorised access and exfiltration of personal information it held, following a recent acquisition of a pathology business. Inadequate security controls were not identified during the acquisition process or rectified post-completion. This included insufficient cyber incident response plans and playbooks (and training) to enable an appropriate response to the data breach.
Key takeaway: There is no “one size fits all” when it comes to “reasonable steps” to protect personal information. It is also not a “set and forget” exercise. Organisations regulated by the Privacy Act must assess the nature and sensitivity of the personal information they hold and implement (and maintain) organisational and technical security measures to protect personal information that are proportionate to the associated risks. Additional or enhanced protections may be required where particularly sensitive information is involved.
- What is a “reasonable and expeditious assessment” of a suspected eligible data breach?
Under the Privacy Act’s Notifiable Data Breaches (NDB) scheme, regulated entities must undertake a “reasonable and expeditious assessment” where it has grounds to suspect a data breach is likely to result in serious harm to affected individuals. This assessment must be completed, as far as possible, within 30 days. See here for more information, or contact us for more information about compliance with the NDB scheme.
In response to its data breach in 2022, Australian Clinical Labs relied on an investigation carried out by its third party cybersecurity advisor, which it knew to be a limited investigation, in concluding that the data breach had been contained and that personal information had not been exfiltrated by the threat actors. The Court found that such reliance was not reasonable and that by failing to investigate further, Australian Clinical Labs delayed the eventual identification and notification of the eligible data breach.
Key takeaway: For regulated entities, the Court’s finding highlights the importance (and required scope) of an investigation under the NDB scheme. It is not reasonable for regulated entities to rely solely on a limited third-party investigation; rather, it requires a reasonably thorough and proactive review to determine whether personal information may have been compromised and whether serious harm to affected individuals is likely. Delays or superficial investigations can result in findings of non-compliance and exposure to civil penalties.
- What is the timeframe to notify the Office of the Australian Information Commissioner and affected individuals?
Under the NDB scheme, once a regulated entity has reasonable grounds to believe that an eligible data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals “as soon as practicable”.
The Court found that Australian Clinical Labs delayed notifying the OAIC by approximately three weeks, despite Australian Clinical Labs acknowledging that it could have notified within two to three days of having reasonable grounds to believe an eligible data breach occurred.
Key takeaway: Timely notification is essential. Delays, even when unintended, can be viewed as non-compliance and increase exposure to enforcement action.
- How are civil penalties calculated under the Privacy Act?
At the time of Australian Clinical Lab’s data breach, the maximum civil penalty under the Privacy Act for “serious or repeated” interferences with privacy was $2.22 million. The Court clarified that penalties are calculated by reference to each contravention of this civil penalty provision.
For Australian Clinical Labs, this meant that, theoretically, the Commissioner could have sought civil penalties of up to $2.22 million for each of the 223,000 individuals affected by the data breach, in addition to other contraventions of the Privacy Act. However, the Court found the penalty of $5.8 million agreed between the parties fell within the permissible range of penalties that would be sufficient for the purposes of specific and general deterrence. The fact that Australian Clinical Labs had cooperated with the OAIC’s investigation and commenced a program to uplift its cyber security maturity was also a relevant consideration for the Court.
Future similar data breaches, or other serious interferences with privacy, could attract significantly higher civil penalties. The current maximum civil penalty for serious interferences with privacy can be up to the greater of $50 million, three times the value of the benefit the organisation gained from the misuse of personal information (if quantifiable), or 30% of adjusted turnover during the relevant period.
Key takeaway: Civil penalties for privacy breaches can now reach tens of millions of dollars, emphasising the need for proactive risk management.
What should Australian organisations do now?
- Review data security practices, procedures and systems
Australian organisations should consider whether appropriate organisational and technical security measures are implemented and maintained to protect the personal information they hold. This includes personal information that may be held following an M&A or other corporate transaction.
The appropriateness of these measures needs to be assessed on a case-by-case basis, including with regard to the sensitivity of personal information, potential harm to individuals if the information is impacted by a data breach, the size and sophistication of the organisation, and any previous threats or attacks against the organisation. Organisations should also regularly assess their level of privacy maturity, and whether this appropriately manages their data breach (and privacy) risk or if an uplift is required.
- Review your data breach response plan
It is critical for Australian organisations regulated by the Privacy Act to have an implemented (and tested) up-to-date data breach response plan.
In reviewing a data breach response plan and whether it remains fit-for-purpose, ensure it clearly identifies your organisation’s obligations under the NDB scheme (and other applicable regulatory regimes, contractual and other arrangements), clearly allocates roles and responsibilities for the response team, and clearly articulates the procedures to be followed in responding to a data breach, which may include identifying where external expertise is required, and a communications plan. Read more for further guidance.
In addition to regular testing on the data breach response plan (through cyber incident simulations and table-top exercises), ensure the plan is updated following changes to your organisation, particularly acquisitions or other corporate transactions.
- Undertake appropriate cybersecurity and privacy due diligence in connection with corporate transactions
Failing to identify and remediate cybersecurity and privacy weaknesses in an acquired business can expose the purchaser to regulatory risk, operational disruption, and financial penalties.
If you are purchasing a business, you should conduct appropriate due diligence and take action post-completion to address any identified deficiencies. Depending on the circumstances, due diligence may include a review of IT systems, information security controls, incident response procedures, past data breaches, and privacy management programs.
Get in touch
The Australian Clinical Labs decision marks a turning point in privacy regulation, signalling a new era of active enforcement and higher penalties. Australian organisations must treat data protection as a board-level priority, embedding privacy and cybersecurity resilience into their operations.
If you would like to discuss the implications of this decision for your organisation, or need assistance developing and testing your data breach response plan, please contact Sophie Bradshaw.
