The Australian Federal Court has ordered Australian Clinical Labs (ACL) to pay an A$5.8 million penalty following a February 2022 cyber-attack. The penalty is the first of its kind under the Australian Privacy Act 1988 (Cth) and marks a new phase in Australian privacy enforcement.

The cyber-attack

ACL is one of the largest private hospital pathology businesses in Australia. In December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd (Medlab).

In February 2022, Medlab’s IT systems were hacked, exposing the personal data of approximately 223,000 individuals, including health information, financial data, and Medicare numbers. A ransom demand followed.

In reliance on an (inadequate) report by external cyber-security experts, ACL initially concluded that no data had been stolen and that there was no “eligible data breach” giving rise to obligations under the Australian Privacy Act. ACL only notified the Australian privacy regulator (OAIC) of the breach in July 2022, weeks after later learning that Medlab data had potentially been published on the dark web.

Australian Privacy Act breaches

The OAIC brought proceedings against ACL under the Australian Privacy Act and ACL admitted various breaches including:

• Failure to take reasonable steps to protect personal information (223,000 contraventions). Relevant factors included that:
  • the Medlab IT system had inadequate cybersecurity controls;
  • ACL had failed to identify the vulnerabilities in its due diligence before acquisition; and
  • ACL relied heavily on external cybersecurity consultants while lacking internal procedures and expertise to detect and respond to cyber incidents. Notably, the internal incident response playbooks were unclear, inadequately tested, and did not define roles or containment processes and the Medlab IT Team Leader had no formal cybersecurity training.
• Failure to promptly assess whether an eligible data breach had occurred: the assessment by the external experts monitored only a fraction of affected computers and failed to investigate the likelihood of data exfiltration.
• Failure to promptly notify the OAIC and affected individuals of the breach: ACL failed to provide a statement as soon as practicable after becoming aware of reasonable grounds to believe an eligible data breach had occurred.

Each contravention attracted a maximum civil penalty of A$2,220,000. The parties jointly submitted that a penalty of A$5.8 million was appropriate. The Court agreed and entered judgment for that amount.

Amendments to the Australian Privacy Act in December 2022 now allow the Court to impose much higher penalties - up to $50 million, three times the benefit derived from the conduct or up to 30% of a business’s annual turnover per contravention.

What this means for you

New Zealand companies carrying on business in Australia (or handling Australian customer data) need to be aware that they may be subject to the Australian Privacy Act (and its penalties).

Businesses operating solely in New Zealand are not yet subject to such significant statutory penalties. At present, the New Zealand Privacy Act provides for an NZD 10,000 maximum penalty for a failure to notify the Office of the Privacy Commissioner (OPC) of a data breach giving rise to a serious risk of harm. Unsurprisingly, the OPC has publicly called for greater enforcement powers but Parliament has yet to act on these appeals.

That said, other legal risks arise for New Zealand businesses which suffer data breaches, including potential claims of:

• breaches of privacy and confidentiality from affected individuals;
• breach of contract; and 
• breach of directors’ duties and negligence,

where, like the defendant in the Australian case, their cyber-security practices fall short. For more information see our Cyber Risks Report.

How we can help 

If you’d like a review of your current practices, or guidance on how this case could impact your obligations, please get in touch with one of our experts.

Special thanks to Holly Soar and Tawhiwhi Watson for their assistance in writing this article.