Landmark Privacy Decision: Federal Court Confirms $5.8m Penalty against Australian Clinical Labs

The Federal Court of Australia has recently delivered an important decision ordering Australian Clinical Labs (ACL) to pay a $5.8 million penalty for serious violations of the Privacy Act 1988 (Cth) (the Privacy Act). This decision sets a precedent for privacy enforcement in Australia and operates to send a strong message to all entities which handle sensitive data.

Background & Breach Details

ACL is a major pathology service provider which holds substantial volumes of personal and health information as part of its operations. In December 2021, ACL acquired Medlab Pathology, inheriting its IT systems and data management responsibilities. In February 2022, Medlab Pathology suffered a cyberattack, resulting in the unauthorised access, theft and dark web publication of the personal and sensitive information of more than 223,000 people. The information leaked involved names, addresses, test results, Medicare information, and financial information.

It was not until June 2022, that the Australian Cyber Security Centre confirmed that over 86 GB of the stolen material was being traded on the dark web.

Federal Court Findings

The Federal Court imposed the following penalties:

1.  A penalty of $4.2 million for more than 223,000 contraventions of s 13G(a) of the Privacy Act for ACL’s failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT Systems;

2.  A penalty of $800,000 for the contravention of s 26WH(2) of the Privacy Act for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT Systems in February 2022; and

3.  A penalty of $800,000 for the contravention of s 26WK(2) of the Privacy Act for ACL’s failure to prepare and give to the Australian Information Commissioner a statement concerning the data breach as soon as practicable.

This is the first time civil penalties have been ordered under the Privacy Act. Amendments to the Privacy Act since the time of ACL’s breach has seen maximum penalties increase to up to $50 million per contravention, thereby highlighting the potential for more significant consequences for future breaches.

Regulatory Implications

The decision offers critical guidance to entities in respect of what constitutes as “reasonable steps” for data protection, emphasising the importance of timely breach assessment and notification. Key Lessons include:

1. Incident Response Readiness: Entities must have robust and tested frameworks for quickly assessing and reporting data breaches. Delays in this process may be significantly penalised, as is evident in this decision.

2. Cyber Due Diligence in M&A: The integration of IT systems following mergers and acquisitions is evidently an acutely vulnerable period for entities. As part of due diligence procedures, entities are implored to conduct thorough risk assessments, identify security concerns, and, subsequently, address those inherited security concerns.

3. Board and Executive Accountability: The decision highlights that the responsibility for privacy compliance lies with senior management of an entity, who must actively oversee data protection and breach reporting practices.

4. Regulatory Environment: As OAIC has increased their scrutiny towards entities dealing with data breaches, prompt compliance and ongoing data system reviews are -non-negotiables for entities handling sensitive and personal information.

Regulatory Response

Elizabeth Todd, Australian Information Commissioner, welcomed the decision, holding it as a vital deterrent and a clear standard for entities to proactively safeguard personal and sensitive information, especially when handling health or financial data. The decision is foreseen not only to influence the regulatory environment but also to incidentally improve the structure of privacy policies and cybersecurity investment across all sectors.

The decision ultimately “provides an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold”. Entities are also urged to understand that “future action will be subject to higher penalty provisions now available under the Privacy Act” (OAIC).

Conclusion

The Federal Court’s landmark penalty against ACL stands as a turning point in Australian privacy law. Entities are implored to understand that robust privacy safeguards, prompt incident assessment, and transparent regulatory. reporting are foundational to compliance with the Privacy Act.

ABOUT THE AUTHOR

Isabella Tziolis assists as a paralegal in commercial, defamation, employment and general matters and is committed to supporting BlackBay Lawyers mission of delivering exceptional legal services. Her work focuses on assisting in providing comprehensive legal support, conducting extensive research, and offering strategic guidance to clients.

Isabella is currently studying a Bachelor of Laws and a Bachelor of Arts, majoring in Politics and International Relations at the University of New South Wales. Her academic and professional experience has fostered her high attention to detail and strong analytical skills which allows her to efficiently handle high-pressure situations and contribute to effective legal strategies.