The Calculus of Compliance and Consequence: Analysing the Federal Court’s Landmark Decision in Australian Information Commissioner v Australian Clinical Labs Limited (No 2)
I INTRODUCTION
The decision of the Federal Court in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) FCA 1224 (‘AIC’), marks an undeniable watershed moment in Australian privacy jurisprudence, ushering in an explicit era of active enforcement under the Privacy Act 1988 (Cth) (‘the Act’). The Office of the Australian Information Commissioner (‘Commissioner’), the chief regulator of the Act, have previously long preferred to resolve disputes through conciliation. However, a more ‘proactive and harm-focussed [enforcement] approach’[1] has become apparent in recent years such as the Commissioner making increased use of the power under s 52 of the Act to make determinations,[2] and latterly commencing civil penalty proceedings against Optus and Medibank.
The case of AIC marks the first civil penalty proceedings brought by the Commissioner under the Act.[3] The judgment of Halley J addresses the systemic failures of Australian Clinical Labs Limited (‘ACL’), a major private hospital pathology business, following a serious cyberattack committed against the acquired IT systems of Medlab Pathology Pty Ltd (‘Medlab’) in February 2022. The resultant civil penalty of AUD$5.8 million, affirmed by the Court based on the parties' agreed facts and admissions, underscores the judiciary’s increasing readiness to impose substantial pecuniary consequences for breaches of sensitive personal and health information.
Although the misconduct occurred before the new ‘tiered’ penalty system introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) (‘2022 Amendment Act’), the decision of Halley J sets a precedent for courts to impose severe financial penalties for serious data breaches, especially where entities fail to take reasonable steps to protect personal information in Australia’s rapidly changing cyber environment.
II CASE SUMMARY
On 19 December 2021, ACL acquired the assets of Medlab. Medlab held personal information including health information, contact information, passport numbers, credit card information, and payment details of more than 223,000 individuals. Medlab’s IT systems had numerous cybersecurity deficiencies (the ‘Medlab IT Systems Deficiencies’).
On or prior to 25 February 2022, a malicious actor known as Quantum Group attacked the Medlab computer network which was being operated by ACL. ACL instructed an external cybersecurity firm known as StickmanCyber on 25 February 2022 to investigate, respond to, and to proffer advice with respect to the cyberattacks. StickmanCyber advised that the ransomware demand was likely a mere ‘scare tactic’: AIC at [23]. After a report was produced by StickmanCyber on 2 March 2022, StickmanCyber advised ACL on 15 March 2022 that, at the time in which StickmanCyber terminated their investigation, ‘no data was exfiltrated from the business’ and that they did not consider that the cyberattack caused harm to any individual: AIC at [28]. In light of StickmanCyber’s advice and investigation, ACL had determined by 21 March 2022 that the cyberattack was not an eligible data breach and elected not to notify the Commissioner.
However, on or before 16 June 2022, 86 gigabytes of data was exfiltrated from the Medlab IT systems and published on the dark web including personal information, sensitive health information, and financial information such as complete credit card details. ACL made notification on 10 July 2022 to the Commissioner that ACL had reasonable grounds to believe that the cyberattack constituted an eligible data breach.
III THE DECISION
The Court declared three contraventions of s 13G(a) of the Act by ACL:
(a) Personal Information Contraventions: Breaches of Australia Privacy Principle (‘APP’) 11.1(b) due to inadequate cybersecurity controls. The Court additionally confirmed that ACL contravened s 13G(a) in respect of each of the 23,000 individuals affected. The Court imposed a penalty of $4,200,000 for this breach;
(b) Assessment Contravention: A breach of s 26WH(2) of the Act for failing to carry out a reasonable and expeditious assessment of the data breach. The Court imposed a penalty of $800,000; and
(c) Notification Contravention: A breach of s 26WK(2) of the Act for failing to notify the Commissioner as soon as practicable. The Court imposed a penalty of $800,000.
In total, ACL was ordered to pay $5,800,000 in civil penalties to the Commonwealth of Australia.
IV DEFINING THE CONTOURS OF CYBER RESILIENCE: THE PERSONAL INFORMATION CONTRAVENTIONS
APP 11.1(b) relevantly provides that an entity that holds personal information ‘must take such steps as are reasonable in the circumstances to protect’ that personal information from ‘unauthorised access, modification or disclosure.’[4]
As APP 11.1(b) had not been the subject of prior judicial determination, Halley J provided essential clarity, stating that the standard applied is objective and necessarily ‘informed by the circumstances’: AIC at [50]. His Honour enumerated several factors informing this broad construction, including at [50]:
the sensitivity of the personal information, the potential harm to individuals if the information was accessed or disclosed, the size and sophistication of the APP entity, the cybersecurity environment in which the APP entity operates, and any previous threats or cyberattacks made against the APP entity.
Deriving guidance from analogous ‘reasonable steps’ provisions found within the Corporations Act 2001 (Cth),[5] Halley J also considered that the obligation to take reasonable steps cannot be satisfied merely by delegating the obligation to another entity and doing nothing more,[6] and that reasonableness should not be elevated to taking all reasonable steps, the ‘one true path’,[7] or the optimal steps.[8]
Given ACL’s standing as one of the largest private hospital pathology businesses in Australia, handling large amounts of sensitive health and financial information, the expectation of diligence was commensurately high.
The findings of the Court identified critical failures in both pre-acquisition diligence and ongoing security posture, categorised broadly into two groups of deficiencies:
(a) Medlab IT Systems Deficiencies
The foundation of the Personal Information Contraventions rested upon the security failures inherent in the Medlab IT Systems, which ACL acquired and operated from 19 December 2021. ACL admitted that it ‘did not identify certain relevant vulnerabilities in the Medlab IT Systems prior to its acquisition of the Medlab assets’: AIC at [16].
The Medlab IT Systems Deficiencies included, per [18]:
(a) the antivirus software deployed by Medlab computers ‘was not capable of preventing certain malicious files from being written or run on those systems’;
(b) Medlab computers ‘utilised weak authentication measures’;
(c) systems ‘were subject to firewalls that could only log one hour of activity before the logs were deleted’. This severe limitation critically hampered ACL's ability to determine when the attack occurred or whether data had been exfiltrated.
(d) the systems ‘had no form of file encryption’;
(e) the Medlab network server ‘was running a legacy system of a Windows server that was not supported by Microsoft from 14 January 2020’; and
(f) the antivirus software deployed on the Medlab server ‘did not prevent or detect a threat actor uploading data from the server to the internet’.
(b) Medlab Cyberattack Response Deficiencies
ACL was also exposed to operational and preparedness deficiencies which undermined its ability to effectively respond once the breach was discovered. These failures were crucial because they contributed to the material breach of APP 11.1(b). Halley J confirmed that ACL’s ability to detect and respond by itself to cyber incidents was deficient because per [53]:
(a) the ACL cyber incidents playbooks ‘did not clearly define roles and responsibilities for incident response efforts’ and ‘contained limited detail on containment processes’ or steps to mitigate exfiltration. Furthermore, the playbooks ‘recommended steps for technologies that were not used within the Medlab IT Systems’;
(b) there was ‘inadequate testing of incident management processes’ in the period between acquisition and the cyberattack;
(c) ‘Data Loss Prevention was not used on the Medlab IT Systems to detect or prevent the theft of personal information’;
(d) ‘adequate tooling/products that could perform behavioural-based analysis of activities in order to determine whether malicious actions might be undetected by an antivirus product were not used’;
(e) there was ‘no application whitelisting in place to prevent unknown or unauthorised applications from running on Medlab computers’;
(f) there were ‘only limited communications plans’;
(g) the Medlab IT Team Leader ‘had not seen, used, or received training on the playbooks provided and had no formal cybersecurity background or incident response training’;
(h) there was ‘limited security monitoring capability because the firewall logs were only retained for one hour’;
(i) ‘specific data recovery plans had not been developed’; and
(j) Medlab staff ‘were not required to use multifactor identification to use the Medlab VPN’.
(c) Other Salient Considerations
Halley J stated that the totality of these facts satisfied the Court that ACL breached APP 11.1(b), leading to a serious interference with the privacy of the more than 223,000 affected individuals. The failure was deemed serious particularly having regard to ‘the extent of the Medlab IT System Deficiencies and the Medlab Cyberattack Response Deficiencies’: AIC at [58].
In casu, the Court noted that ACL operated in a landscape of high cybersecurity risk and that there was a real risk of harm to individuals should their health or other personal information be accessed and disclosed without approval. The Court also highlighted the ‘overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents’ as contributing to the seriousness of the APP 11.1(b) breach: AIC at [52]. ACL’s delegation of operational responsibility to StickmanCyber as a third-party did not, pro tanto, automatically absolve it of its statutory duty. The reasonable steps obligation under APP 11.1(b) is non-delegable – purely relying on third-party providers without sufficiently engaging in internal cyber resilience investigations was ultra vires the spirit of the APP. Although cybersecurity services providers can ensure investigations are independent, comprehensive, and impartial, AIC accentuates that it is nevertheless critical for entities to establish and utilise adequate internal procedures to independently identify and respond to cyber incidents.
V THE IMPERATIVE OF TIMELY RESPONSES: INTERROGATING NDB OBLIGATIONS (ss 26WH and 26WK)
The judgment provides equally critical guidance on the operation of the Notifiable Data Breach (‘NDB’) scheme obligations under Part IIIC of the Act, which were breached by ACL on two fronts, constituting separate contraventions of section 13G(a) of the Act:
(a) the Assessment Contravention, per s 26WH(2) of the Act; and
(b) the Notification Contravention, per s 26WK(2) of the Act.
Compliance with the NDB scheme is critical to effective cyber security and supports both the prevention of cybercrime and harm minimisation following an incident. By notifying affected individuals of a relevant data breach, those affected persons are placed in a position whereby they can remediate, or at least mitigate, their risk of harm such as amending passwords or advising financial institutions as to their compromised information. The NDB scheme additionally has a general utility in ensuring that entities are accountable for privacy protection. To this extent, the NDB scheme reinforces privacy protection obligations owed by entities dealing with personal information and ensures relevant entities establish sufficient data breach response systems to comply with the NDB scheme.
(a) Failure to Conduct a Reasonable and Expeditious Assessment (s 26WH(2))
The duty to conduct an assessment under section 26WH(2) is triggered when an entity is aware of ‘reasonable grounds to suspect that there may have been an eligible data breach of the entity’.[9] Halley J was persuaded that ACL had subjective knowledge or awareness of circumstances ‘that were objectively sufficient to establish in the mind of a reasonable person’ the requisite suspicion by 2 March 2022, that being the date on which StickmanCyber issued its report: AIC at [74].
The resultant obligation was to carry out a ‘reasonable and expeditious assessment’ within the mandated 30-day period.[10] The Court at [77] concluded that ACL contravened s 26WH(2) because the assessment undertaken was inadequate and unreasonable. ACL’s reliance solely upon the limited work conducted by StickmanCyber was deemed ‘unreasonable’ given ACL’s own awareness of the inherent deficiencies, particularly the inadequate technical controls still in place: AIC at [78]. The forensic assessment was inadequate because per [77]:
(a) It only monitored ‘3 of the at least 127 computers subject to ransomware deployed by the Quantum Group;
(b) It did not conduct any investigation into ‘the Quantum Group and its attack traits to determine whether data was likely to have been exfiltrated’;
(c) It based its review on ‘only one hour of firewall logs’, accessed approximately four hours after the ransom note was downloaded, severely restricting the ability to reconstruct the attack; and
(d) It only conducted a ‘limited investigation’ of whether persistence mechanisms may have been established.
The Court affirmed the contravention of s 26WH(2) was ‘serious’ for the purposes of s 13G(a), noting that the ‘failure to conduct the stipulated reasonable and expeditious assessment likely resulted in a delay in ACL ultimately notifying the Commissioner’: AIC at [79]. This delay hindered the Commissioner’s function to assist affected individuals.
(b) Failure to Notify the Commissioner 'As Soon As Practicable' (s 26WK(2))
The Notification Contravention arose under section 26WK(2) when ACL became aware that there were ‘reasonable grounds to believe that there had been an eligible data breach’. This requisite knowledge was attained by 16 June 2022, upon receiving the ‘second ACSC notification’ confirming ‘potentially 80gb of Medlab data was published from the Quantum group’ on the dark web: AIC at [35].
Upon gaining this belief, ACL was obligated to prepare and give the required statement to the Commissioner ‘as soon as practicable’.[11] Halley J interpreted the term ‘practicable’ by noting that the required notification statement under s 26WK(3) is ‘not particularly onerous’.[12] It merely requires a description of the breach, the kind of information concerned and recommendations for steps individuals should take.
ACL admitted it was practicable to have provided this statement ‘within two to three days’ of 16 June 2022: AIC at [89]. Instead, ACL delayed, not providing the statement until 10 July 2022, representing a 24-day delay. This was a further contravention of s 26WK(2). This delay was also determined to be a serious interference with privacy particularly as it ‘delayed the ability of the Commissioner to perform her statutory function’ in monitoring notifications and providing guidance and important information about the impact of the cyberattack: AIC at [91].
VI THE NEW ENFORCEMENT ERA: PENALTY CALCULUS, DETERRENCE AND IMPACT OF STATUTORY AMENDMENTS
The Federal Court’s approval of the aggregate civil penalty of AUD$5.8 million against ACL, is an explicit signal of the new phase of active enforcement under the Act. This outcome confirms the Court's readiness to impose substantial financial consequences for serious breaches.
(a) Judicial Methodology and the Multiplicity of Contraventions
ACL’s contraventions occurred prior to the 2022 Amendment Act. At the time of the breaches, the maximum penalty civil penalty was up to 2,000 penalty units at a value of $222 per unit. A pecuniary penalty for a body corporate must not be more than five times the pecuniary penalty specified for the civil penalty proceeding.[13] The maximum penalty per contravention thereby equalled $2,200,000 (2,000 ⋅ $222 ⋅ 5).
Consistent with the objects of the Act, the Court accepted that ACL engaged in a ‘separate contravention of s 13G(a) in respect of each of the more than 223,000 individuals’ whose personal information was compromised: AIC at [60]. This finding confirmed the theoretical maximum penalty available under the prevailing regime was $495,060,000,000 [that being (2,000 ⋅ $222 ⋅ 5) ⋅ 223,000]: AIC at [121].
In determining the imposed penalty of $5,800,000, Halley J applied the principle of ‘instinctive synthesis’, weighing the following aggravating factors against the ameliorating steps taken by ACL:
Aggravating Factors
The contraventions were extensive and significant.
The contraventions were from a failure to act with sufficient due care and diligence in managing the risk of the cyberattack
The contraventions had, at least, the potential to cause serious harm to affected individuals.
The contraventions had the potential to impact the public trust in entities holding personal information.
ACL was one of the largest private hospital pathology businesses.
ACL’s senior management were involved in the integration of the Medlab IT systems.
Mitigating Factors
ACL did not derive financial gain
ACL had not previously contravened the Act.
The contraventions were not deliberate or from deliberate misconduct.
ACL had commenced a review of its cybersecurity processes and controls prior to the cyberattack.
ACL cooperated with the investigation conducted by the Commissioner since December 2022.
ACL admitted to the contraventions.
ACL apologised for the cyberattack.
The contraventions arose from a single course of conduct.
The final penalty was sufficient for specific and general deterrence, ensuring it could not objectively be characterised as ‘a cost of doing business’: AIC at [138].
(b) The Intersection with the Privacy Legislation Amendment Act 2022
The most profound ramification of the AIC case lies in its retroactive interpretive authority over the drastically increased penalties introduced by the 2022 Amendment Act,[14] which commenced on 13 December 2022.
ACL's conduct, having occurred before this date, was assessed under the prior penalty regime. The 2022 Amendment Act has since introduced a tiered civil penalty regime. APP entities now need not meet the same ‘serious’ threshold to attract the OAIC’s attention. Rather, the following penalties now apply:[15]
Tier: Serious interferences with privacy (i.e. the tier applicable to ACL)
Penalty for Corporations:
the greater of:
(a) AUD$50m
(b) three times the value of any benefit obtained by the misuse of information; or
(c) if that value cannot be determined, 30% of the relevant APP entity's turnover during the breach period.
Penalty for Individuals (e.g. Directors)
AUD$2.5 million
Tier: 'Mid-tier' contraventions that do not meet the threshold of 'serious'
Penalty for Corporations:
AUD$3.3 million
Penalty for Individuals (e.g. Directors)
AUD$660,000
Tier: ‘Low-tier' breaches of specific APPs, or failure to comply with a compliance notice
Penalty for Corporations:
AUD$330,000
Penalty for Individuals (e.g. Directors)
AUD$66,000
The judicial finding in AIC that each affected individual constitutes a separate contravention dramatically compounds the liability under the new regime. This methodology, coupled with the enhanced penalty quantum, means that a breach impacting even a relatively small number of individuals, for example, 10,000 persons, could expose a large corporation to potential penalties in the hundreds of millions or billions of dollars, creating an absurd and impracticable level of risk. This risk signals that cyber incidents now have the potential to pose significant financial implications for even Australia's largest companies.
VII TAKEAWAYS FROM THE DECISION
(a) Reasonable steps obligation
AIC provides useful guidance for entities as to what constitutes reasonable steps under the Act. Importantly, the Court noting that ALC ought to have been aware of the high cybersecurity risk environment by which they operated in introduces somewhat of a ‘sliding reasonableness scale’ for businesses – that is, an entity operating in a low-risk environment may not necessarily have the same reasonableness threshold as one that is operating in a high-risk environment such as ACL. Even then, the risk profile of the environment by which a company operates within can itself fluctuate over time. For instance, a low-risk environment may be suddenly subject to numerous serious cyber attacks leading that environment to now be considered a high-risk one. Companies thereby ought to be constantly and fully acquainted with the unique cyber risks that impact the sphere they operate within as this will mould their cybersecurity expectations.
The fact that the reasonable steps assessment is a holistic one also emphasises the need for businesses to have robust cyber risk management systems, to constantly assess the efficacy of those systems, and have comprehensive multi-disciplinary cyber incident response teams to manage breaches should they occur. It is to be noted however that the reasonableness requirement under APP 11.1(b) does not impart optimality nor require an organisation to take all possible reasonable steps.
(b) Due diligence
A pertinent factor as to ACL’s contravening conduct was the failure to address the risks and cybersecurity deficiencies of the acquired Medlab IT systems. Businesses in M&A contexts thereby ought to conduct proper due diligence when acquiring IT systems and personal information from other entities. Due diligence cannot end at a mere paper questionnaire, but must properly encompass thorough investigations and testing to confidently deduce the suitability of the acquired cybersecurity systems. Where issues become apparent, those issues ought to be addressed as effectively as possible prior to or, at least, immediately after the integration of the acquired IT systems.
(c) The importance of cybersecurity commitments
ACL approved a program in July 2021 to uplift ACL’s cybersecurity capabilities including a requirement since August 2022 that all ACL employees engage in cybersecurity training. In August 2023, ACL additionally appointed a Chief Information Security Officer. Notwithstanding the appointment occurring subsequent to ACL’s relevant contraventions, it was held by the Court to showcase ACL’s ongoing commitment to developing a satisfactory culture of compliance. Such an evident commitment was a mitigating factor in the civil penalty assessment.
As such, pre and post-contravention conduct indicating a commitment towards enhancing cybersecurity is an ameliorating factor by which the Courts can consider if a breach does occur. This provides an incentive for companies to take positive steps to encourage compliance with the Act and to improve their cybersecurity systems even after an attack has occurred. This is important. If the Court were only able to consider an organisation’s compliance attempts before the breach occurred as a mitigating factor, companies no longer have incentives to remediate the faults in their cybersecurity systems, at a minimum, in the time period between when the breach occurred and when proceedings are commenced. The fact that the Court can reward compliance efforts at any time before or after a breach encourages companies to constantly aim to comply with the Act.
VIII CONCLUSION
The judgement of Halley J in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) FCA 1224 serves as the definitive judicial pronouncement marking the OAIC’s transition to an era of active enforcement, definitively establishing the seriousness of systemic security failures, inadequate assessment and protracted breaches of NDB notification obligations under s 13G(a) of the Act. Crucially, the affirmation of the per-individual approach to calculating penalties for APP 11.1 breaches provides the legal mechanisms which, when fused with the augmented maximum penalty regime under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, translates compliance failure into an exponential and potentially existential corporate risk. This decision unequivocally mandates that entities must prioritise non-delegable security controls, conduct rigorous cyber due-diligence in M&A activities and ensure rapid, competent internal incident assessment, thereby establishing a new regulatory baseline that demands proactive cyber resilience across the Australian economy.
FOOTNOTES:
[1] ‘Statement of regulatory approach’, Office of the Australian Information Commissioner (Web Page, 20 February 2025) <https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/statement-of-regulatory-approach>.
[2] Normann Witzleb, Privacy law: Personal information under the Privacy Act 1988 (Cth) – Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 (2017) 45(2) Australian Business Law Review 188, 188.
[3] It is to be noted that ASIC has previously made declarations and penalty orders for cyber breaches and deficient responses pursuant to the Corporations Act 2001 (Cth): see for example, Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496.
[4] Privacy Act 1988 (Cth) sch 1 s 11.1.
[5] Corporations Act 2001 (Cth) ss 961L, 963F, 994E(5).
[6] Per Clarke (as trustee of the Clarke Family Trust) & Ors v Great Southern Finance Pty Ltd (Receivers and Managers Appointed) (in liquidation) & Ors [2014] VSC 516 at [543] (Croft J).
[7] Per Australian Securities and Investments Commission v R M Capital Pty Ltd [2024] FCA 151 at [73] & [80] (Jackson J).
[8] Per Australian Securities and Investments Commission v R M Capital Pty Ltd [2024] FCA 151 at [392] (Moshinsky J).
[9] Privacy Act 1988 (Cth) s 26WH(1)(a).
[10] Privacy Act 1988 (Cth) s 26WH(2)(a).
[11] Privacy Act 1988 (Cth) s 26WK(2)(b).
[12] Privacy Act 1988 (Cth) s 26WK(3).
[13] Regulatory Powers (Standard Provisions) Act 2014 (Cth) s 82(5)(a).
[14] Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022
[15] Privacy Act 1988 (Cth) s 13G.
Disclaimer:
‘Black Letter Law’ communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.