First civil penalty imposed under the Privacy Act

The Federal Court's recent decision in Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224 marks a turning point in privacy enforcement in Australia. It resulted in the first civil penalty under the Privacy Act 1988 (Cth)(the Privacy Act) being imposed on Australian Clinical Labs (ACL), which was ordered to pay an AUD5.8 million penalty following a 2022 data breach of Medlab Pathology Pty Ltd (Medlab) affecting 223,000 individuals.

Key Takeaways

There are a number of key takeaways for organisations from this case:

Why it matters

This decision illustrates that the OAIC is willing to seek, and the Federal Court is willing to impose, significant penalties for non-compliance with the Privacy Act. Under the current penalty regime, entities face penalties up to the greater of AUD50 million, three times the benefit derived from the breach, or 30% of annual turnover. The penalty of AUD5.8 million was determined having regard to input from the OAIC and ACL, including the acknowledgment that ACL had taken steps to invest in cyber security and privacy practices prior to the data breach incident and also after the incident.

Aside from the financial penalty, the fact that this case has been the focus of much attention from the legal community and the public more broadly for almost 3 years demonstrates the reputational risk and harm associated with data breaches and alleged breaches of the Privacy Act, reinforcing the need for active cyber governance and board-level accountability.

Privacy Commissioner Carly Kind has also emphasised that this decision 'should serve as a reminder of the consequences entities face where they fail to protect personal information.'

Factual background and court findings at a glance

The ACL proceedings related to a data breach that was suffered in February 2022, which occurred in relation to IT assets which ACL had purchased from Medlab Pathology Pty Ltd in December 2022. This is relevant because the Medlab IT systems were in some ways different to those IT systems used by ACL more generally, and ACL had only owned and been in control of the Medlab assets and business for approximately 3 months when the data breach occurred.

ACL was found to have failed to:

• adequately protect personal information as required under APP 11;
• carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred as required under section 26WH(2) of the Privacy Act; and
• notify OAIC of a data breach as soon as practicable under section 26WK(2) of the Privacy Act.

The Court observed that ACL had an "overreliance" on third party service providers and failed to have in place adequate procedures to detect and respond by itself to cyber incidents.This was one of the factors relevant to the finding that ACL had failed to take "such steps as are reasonable in the circumstances" to protect the personal information held on the Medlab IT systems from "unauthorised access" and "unauthorised disclosure".

Of course, organisations engage third parties to provide information systems security and cyber security services, given the complexity and rate of change in these areas and the need for specialist, technical expertise.

However, this decision and the statement that ACL was "overreliant" on third parties highlights the need for organisations to ensure that they maintain an appropriate level of control over their information systems security and cyber security postures. It is not enough to simply engage experts or service providers and think that this will discharge an organisation's obligations under the APPs. While this should be self evident, and it is consistent with the principle in similar regulatory regimes, such as APRA's CPS 230 and CPS 234 standards, that the regulated entity remains responsible for compliance, it is a timely reminder.

The Court also found that ACL's ability to detect and respond to cyber incidents was deficient, and pointed to a number of failings:

• while ACL had a cyber incident playbook, it did not clearly define responsibility roles and did not provide details on containment processes or management of a cyber incident;
• ACL did not conduct adequate testing of incident management processes;
• no data loss prevention techniques were used by Medlab to detect or prevent theft of data;
• there were no data recovery plans;
• there were limited communications plans;
• there was no formal cyber security or incident response training for key employees;
• there were limited security monitoring capabilities in relation to Medlab due to lack of retention of firewall logs; and
• Medlab employees were not required to use multi-factor authentication.

Implications for M&A transactions

The fact that the data breach occurred after the acquisition of Medlab highlights the privacy and cybersecurity risks that can be transferred with an acquisition. The statement of agreed facts and admissions agreed between ACL and the OAIC, which is attached to the judgment, notes that ACL identified a number of deficiencies and gaps in its IT and cybersecurity practices and processes. ACL accepted that its plan was to integrate or decommission the Medlab IT systems by no later than June 2022 – i.e., a little over 6 months after ACL assumed control of the Medlab assets.

Ultimately, these gaps and deficiencies were some of the factors that contributed to the data breach occurring in the manner that it did.

While it isn't unusual for due diligence as part of an M&A transaction (either a share sale or an asset sale) to identify areas where processes, systems and controls could be improved or replaced, these gaps and the risks they present should be carefully considered. The risks presented by deficiencies in IT systems and process, cybersecurity and privacy frameworks are real, and can eventuate, so it is critical to consider the impact of such risks materialising, and to both develop and promptly implement mitigations and remediation steps to address key gaps and deficiencies.

Buyers shouldn't assume that medium to longer term remediation plans or projects to uplift IT systems and cybersecurity will be accepted by the OAIC or the courts as a sufficient mitigant or control, and nor should sellers think that disclosure is enough to provide comfort to buyers. We anticipate that detailed IT and privacy due diligence, together with post-completion reviews and remediation plans, will be an even greater focus in M&A transactions than they are currently.

Practical steps for organisations

The findings of the Court in this case make it clear that, organisations should:

• review and test their cyber and IT security and incident-response frameworks annually;
• define and document cyber incident roles, escalation paths, and containment procedures;
• ensure breach investigations are comprehensive,documented and promptly carried out within 30 days;
• develop and maintain internal IT, cyber and privacy capabilities, and where engaging third parties, be sure to review, test and challenge their services and advice and not simply accept it unquestioningly;
• prepare notification templates for OAIC and affected individuals to assist in prompt notification where required; and
• embed cybersecurity due diligence and post-completion actions into all M&A processes.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}