One cyber incident, many breaches: first civil penalty under the Privacy Act

Landmark decision sets precedent for privacy enforcement 15 min read

The Federal Court has approved Australian Clinical Labs' settlement agreement with the Australian Information Commissioner (the Commissioner) to pay a $5.8 million penalty, and a contribution of $400,000 to cover the Commissioner's costs.

This is the first civil penalty proceeding successfully brought by the Commissioner under the Privacy Act. It is also the first time we have judicial interpretation of:

• APP 11.1 – the requirement to take reasonable steps to protect personal information.
• s26WH(2) – the requirement to assess a suspected eligible data breach reasonably and expeditiously.
• 26WK(2) – the requirement to notify the Commissioner of an eligible data breach as soon as one has reasonable grounds to believe that an eligible data breach has occurred.

As well as providing judicial clarity regarding the application of the Privacy Act, this decision sits alongside the growing body of judicial consideration of cyber-related obligations across other regulatory frameworks, and covers consistent themes on the baseline expectations regarding cyber risk management (both prior and in response to a cyber incident). These will be likely instructive to other regulators (eg APRA and ASIC) regarding the application of other principles-based regulation (eg CPS 234, directors' duties, s912A Corporations Act) governing conduct in connection with cyber incidents. The decision will also be closely scrutinised by class action promoters and could fuel further class action activity.

Key takeaways 

• APP 11.1 sets a high standard for the protection of personal information. Relevant considerations include the adequacy of authentication measures, incident response and communications plans, clarity around roles and responsibilities, roles-based training, overreliance on third parties to detect and respond to cyber incidents, and a failure to identify and assess IT vulnerabilities.
• Organisations should actively oversee and interrogate the approach taken in technical forensic investigations and test the veracity of investigation findings.
• Consistent with the OAIC's commentary over the past few years, organisations should assess and notify eligible data breaches with urgency.
• Inherit the system, inherit the risk. In an acquisition context, high-quality cyber risk diligence and cyber risk management planning in transition and integration are key.
• There will be a separate contravention for each individual that is impacted in a cyber incident, but the fact those contraventions arise from the same conduct will be relevant in determining an appropriate penalty. Steps such as publicly apologising, proactive remediation of control failures and cooperation with the Office of the Australian Information Commissioner's (OAIC) investigation can help mitigate the size of any penalty.

The proceedings

The facts

• ACL is a major Australian private hospital pathology provider, employing over 5,000 staff and generating significant annual revenue.
• On 19 December 2021, ACL acquired Medlab, a pathology business operating in NSW and Queensland, inheriting sensitive personal data of more than 223,000 individuals.
• Prior to the acquisition, ACL did not identify key vulnerabilities in Medlab’s IT systems.
• In February 2022, a threat actor known as the Quantum Group launched a ransomware attack on Medlab’s systems. ACL’s initial response relied on a third-party cybersecurity provider, who conducted limited investigations and concluded no data exfiltration had occurred.
• ACL was notified by the Australian Cyber Security Centre (ACSC) of its knowledge of the incident, but ACL relied on the initial technical assessment undertaken by the consultant and did not notify the OAIC or affected individuals of an eligible data breach.
• In June 2022, the ACSC notified ACL that it had identified 86GB of sensitive Medlab data published on the dark web, including personal information and sensitive information.
• ACL subsequently notified the Office of the Australian Information Commissioner (OAIC) in July 2022 and proceeded to notify affected individuals, issuing a public apology and ASX announcement in October 2022.

Declarations and orders

These proceedings were settled prior to the final hearing. The court received proposed declarations and orders to be made by consent and a statement of agreed facts and admissions (SAFA), in which ACL admitted to having contravened:

• APP 11.1 – the requirement to take reasonable steps to protect personal information.
• s26WH(2) – the requirement to assess a suspected eligible data breach reasonably and expeditiously.
• 26WK(2) – the requirement to notify the Commissioner of an eligible data breach as soon as one has reasonable grounds to believe that an eligible data breach has occurred.

The court ordered that ACL pay:

• a civil penalty of $5.8 million; and
• $400,000 towards the Commissioner’s costs in the proceeding.

These were ordered on the basis that these breaches were 'serious' and therefore triggered the civil penalty provisions under 13G of the Privacy Act.¹

The decision

In finding that ACL had not taken 'reasonable steps' to protect personal information, Justice Halley considered:

• the size and nature of ACL's business (one of the largest private hospital pathology businesses in Australia);
• the volume and sensitivity of the information;
• the high cybersecurity risks facing ACL and the risk of harm to individuals if their health and other personal information was accessed and disclosed without authorisation;
• various IT system deficiencies, including that the antivirus software used could not block or detect certain malicious files, Medlab computers used weak authentication measures, firewall logs were only retained for one hour (which restricted the ability to monitor and investigate incidents), there was no file encryption, the network server ran an unsupported version of Windows, and the antivirus software did not detect or prevent a threat actor from uploading data from the server to the internet;
• ACL’s failure to identify those deficiencies prior to acquisition and the delay in ACL identifying those deficiencies; and
• ACL's overreliance on third party service providers and its failure to have in place adequate procedures to detect and respond to cyber incidents.

ACL's technical and organisational controls and preparedness activities were also relevant. Justice Halley noted (and ACL admitted in its SAFA) that ACL's ability to detect and respond to cyber incidents was deficient due to:

• Inadequate incident response plans and playbooks: ACL's incident response plans and playbooks were not sufficiently detailed and contained gaps. For example, they did not clearly define roles and responsibilities in an incident, nor did they provide enough detail on how to contain an incident or mitigate data exfiltration (and some of the recommended steps were for technologies not even used in the affected systems). Specific data recovery plans had not been developed and there were only limited communications plans. The fact Medlab had only recently been acquired was not an excuse.
  
  This is consistent with ASIC's proceedings against RI Advice, which demonstrated that large companies should ensure their affiliates have each implemented, and operationalised, cybersecurity controls appropriate for that affiliate. Reliance on generic, group-wide policies may not be sufficient. (For more on the RI Advice proceedings, see Federal Court finds cyber risk management is a critical obligation for financial services firms).

• Lack of training and familiarity with playbooks: the Medlab IT Team Leader had not seen, used, or received training on the playbooks and had no formal cybersecurity background or incident response training. Notably, ASIC also pointed to an alleged failure to provide adequate training and education on cybersecurity and to employ or retain individuals with specialised expertise in cybersecurity in the proceedings that it commenced in July 2025 against Fortnum Private Wealth. (For more on these proceedings, see Cyber enforcement in the spotlight again as ASIC pursues Fortnum Private Wealth).
• Inadequate testing: there was inadequate testing of incident management processes in the three month period (ie from 19 December 2021 to 25 February 2022) between the acquisition of Medlab Pathology Pty Ltd and the cyber incident.
• Insufficient security tools: tools capable of behavioural analysis to detect sophisticated threats (beyond standard antivirus) were not used.
• Lack of data loss prevention (DLP): DLP was not used on the relevant systems to detect or prevent the theft of information held on those systems.
• No application whitelisting: there was no mechanism to prevent unauthorised or unknown applications from running on Medlab computers.
• Minimal security monitoring: firewall logs were only kept for one hour, limiting the ability to monitor for and investigate threats. Relevantly, ASIC's concise statement in the civil penalty proceedings that it commenced against FIIG Securities Limited suggests that logs should be stored online for at least 90 days, and in an electronic archive for at least 12 months. (For more on those proceedings, see ASIC commences proceedings against FIIG for alleged cybersecurity failures).
• No multi-factor authentication: Medlab staff were not required to use multifactor identification to use the Medlab VPN.

As of 10 December 2024, APP 11 was amended to clarify that the reasonable steps an organisation must take to protect personal information in accordance with APP 11 include both technical and organisational measures. This decision is consistent with that amendment, even though it relates to a period prior.

Put another way, organisations will not be permitted to hide behind the actions (or inaction) of their technical experts (whether third-party or internal) when assessing the adequacy of their investigations into suspected cyberattacks.

In this case, the investigation undertaken by a cybersecurity consultant was considered insufficient to meet the requirement to carry out a 'reasonable and expeditious assessment' as required by section 26WH of the Privacy Act. This is because the consultant:

• only monitored three of at least 127 computers subject to ransomware deployed by the threat actor (the Quantum Group);
• did not conduct any investigation into the threat actor and its attack traits to determine whether data was likely to have been exfiltrated;
• based its review on only one of the firewall logs, which it did not access until approximately four hours after the ransom demand was first downloaded; and
• only conducted a limited investigation of whether the threat actor may have established a persistence mechanism to stay connected to the Medlab IT systems and its network.

Justice Halley, also noted that ACL was aware that this assessment was limited and so it was unreasonable for it to rely solely on that assessment and the consultant's advice. Further, notwithstanding advice from the technical consultant that the threat posed by the Medlab cyberattack had been contained and that there was no information suggesting that personal information held by the Medlab IT systems had been exfiltrated, ACL 'had subjective knowledge or awareness of circumstances that were objectively sufficient to establish in the mind of a reasonable person a suspicion' that there may have been unauthorised access to personal information and that access would be likely to result in serious harm to the relevant individuals.

This is also a cautionary tale about the dangers of technical experts providing advice regarding regulatory compliance (including notification requirements). For example, upon receiving a ransom note from the Quantum Group, the technical experts suggested that ACL 'prepare a statement stating that there was a malware incident but no data has been exfiltrated nor lost and the incident is being controlled'. Subsequently, upon concluding its limited investigation, the technical consultant told ACL that they 'would have to say' that the Medlab cyberattack did not cause harm to any individual.  

ACL received two notifications from the Australian Cyber Security Centre (one on 25 March and the other on 16 June 2022) before it decided to provide a statement to the Commissioner informing her that ACL had reasonable grounds to believe the cyberattack amounted to an eligible data breach.

Almost one month passed between receipt of the second notification (which informed ACL that potentially 80 gigabytes of Medlab data had been published on the dark web) and ACL's provision of the statement.

In the court's view, ACL should have provided the statement within two to three days of the second ACSC notification (which was also the date that the data was published on the dark web). This timeframe aligns with a new timeline for eligible data breach notification proposed by the Attorney-General in the 2022 Privacy Act Review Report. Under the proposal, entities would be required to report eligible data breaches to the Commissioner within 72 hours of becoming aware that there are reasonable grounds to believe there has been an eligible data breach.

On one view, ACL was unlucky, with MedLab suffering a cyber incident just over two months after their acquisition. Some of the risk factors that gave rise to the incident may well have been remediated or mitigated in the near term based on the proposed integration activities to bring MedLab on to ACL's core IT systems. Ultimately, this hard luck story didn't come into play, and provide a few salutary lessons for consideration of cyber related risks in acquisitions:

• Inherit the system, inherit the risk: the short time frame from acquisition doesn't change the assessment of whether these obligations were breached.
• Technical and organisational cyber risk diligence is key: the judgment stated that the vulnerabilities identified in the MedLab systems were not identified prior to the acquisition. Given the nature of the vulnerabilities and process issues, a greater role for these issues in diligence, and their subsequent prioritisation prior to or following completion could have mitigated this risk.
• The importance of prompt testing and integration of cyber risk management processes during integration: as set out above, the agreed facts included the findings that:
  • MedLab team members were not familiar with and had not received training on cyber incident playbooks, despite being provided copies of ACL playbooks; and
  • there was inadequate testing of cyber incident management processes in the period following acquisition.
  Given the timeframe between acquisition on the incident, this emphasises the importance of speed and prompt attention to cyber risk management and resilience matters as a priority. Often, in the case of transitions or integration, focus is placed on the technical cutover, with broader governance issues left for the roadmap. This case suggests that swift integration into an organisations broader cyber risk management framework, including for cyber resilience testing, is critical.
• Sale agreement warranties: for acquirers, careful consideration should be given to the types of warranties sought from sellers and how they account for these types of risks.  

The penalty

The $5.8 million penalty comprises:

• $4.2 million for failing to take reasonable steps to protect the data under APP 11.1;
• $880,000 for the failure to assess the breach reasonably and expeditiously under s26WH(2); and
• $800,000 for delays in notifying the OAIC under s26WK(2).

Importantly, the court found that ACL engaged in a separate contravention of s13G(a) in respect of each of the more than 223,000 individuals whose personal information was held on the Medlab IT systems during the relevant period, even though those contraventions arose from the same conduct.

This provides judicial clarification (for the first time) of a critical question which has persisted in this area—what is the potential quantum of a civil penalty available in connection with a cyber incident which impacted multiple (or many thousands of) individuals?

The practical implication is that, for most large-scale data breaches, the theoretical maximum penalty is astronomical. The case against ACL arose prior to the November 2022 amendments to the Privacy Act which increased the maximum penalty from $2.2 million to a 'greater of' formula with at least $50 million as a base line. In this case, the theoretical maximum penalty was (as outlined out by Justice Halley), $495,060,000,000. It would have been over $11 trillion under the current penalty regime.

Despite this, the actual penalty amount was significantly less (by many orders of magnitude) and was aligned with the agreed penalty submission from the parties.

The court found that ordinarily the $5.8 million penalty would be 'manifestly inadequate or at least outside an acceptable or permissible range to achieve specific and general deterrence', having regard to the fact that:

• the contraventions were extensive and significant, resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack, had the potential to cause significant harm to the affected individuals, and had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals;
• relevantly to personal deterrence, ACL is and was one of Australia's largest private hospital pathology businesses; and
• ACL's most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment following ACL's acquisition of Medlab and ACL’s response to the cyberattack, including whether it amounted to an eligible data breach.

However, in this case these factors needed to be weighed against ameliorating considerations, including that:

• ACL did not derive financial gain or benefit from the contraventions;
• ACL had not previously been found by a court to have contravened the Privacy Act or otherwise engaged in any similar conduct;
• the contraventions did not arise from deliberate misconduct by senior management;
• prior to the attack, ACL had commenced a review of its cybersecurity processes and controls and the board had approved a program of works to uplift the company's cybersecurity capabilities. Following the attack, ACL appointed an experienced and credentialled full time Chief Information Security Officer;
• the CEO of ACL apologised for the attack in an ASX announcement;
• ACL admitted the contraventions and has cooperated with the OAIC's investigation; and
• although there were 2230,000 separate contraventions relating to the APP 11.1(b) breach, they arose from a single course of conduct.

These countervailing factors were critical in determining that the penalty of $4.2 million falls within the 'range of permissible penalties'. Justice Halley emphasised the importance of judicial restraint in the context of agreed penalties where a penalty falls within such permissible range, though comments made during the hearing (eg that a civil penalty should not be set at an amount that an entity would consider an 'acceptable cost of doing business'), and the reference to the potential 'manifest inadequacy' of the penalty, suggest the question of whether the penalty was adequate weighed heavily. The counterfactual of what penalty would have been determined absent such agreed penalty will remain unknown, but it is unlikely the amount would have been lower.