Australia’s Privacy Commissioner wins its first civil penalty proceeding under Privacy Act against ACL

The Australian privacy regulator has had its first successful outcome in civil penalty proceedings under the Privacy Act 1988 (Cth) (Privacy Act), ordering Australian Clinical Labs (ACL) to pay $5.8 million for the interference with the privacy of 223,000 individuals following the 2022 data breach. 

This alert summarises the Federal Court of Australia’s findings on ACL’s contraventions that led to this outcome and key considerations for businesses across all sectors, on carrying out a reasonable and expeditious assessment and notifying the Commissioner ‘as soon as practicable’ from a data breach context.

The Court’s decision also provides useful guidance on how the Court quantifies penalties in the context of civil penalty proceedings arising in the context of data breaches. 

Civil penalties

The ACL and the Australian Information Commissioner put forward an agreed penalty of $5.8 million for the Court’s consideration. This proposed penalty was calculated based on three distinct categories of contraventions, as follows:

• Personal Information Contraventions (equal to $4,200,000);

• Assessment Contravention (equal to $800,000); and

• Notification Contravention (equal to $800,000), 

Each of these categories are discussed in more detail below. 

The Court was persuaded that the agreed penalty was appropriate in the circumstances, noting the practice of receiving and, if appropriate, accepting agreed penalty submissions, amongst other things, increases the predictability of outcomes for regulators and wrongdoers. 

In its consideration of the appropriate penalty, the Court considered the theoretical maximum penalty in relation to the incident, being $495,060,000,000 (223,000 contraventions x $2,220,000). Consistent with the approach taken in other Australian regulatory penalty proceedings, the Court’s approach to penalty calculation focused on what is appropriate in the circumstances to achieve the public policy objectives of specific and general deterrence, rather than simply applying the theoretical maximum penalty available under statute. 

ACL was also ordered to contribute $400,000 towards the Commissioner’s costs in the proceeding.

As noted in our alert, as ACL’s alleged conduct occurred prior to the increased penalty provisions applicable to body corporates for serious or repeated breaches of privacy under the Privacy Act, ACL was subject to the prior penalty regime. 

Key factors considered by the Court 

1. Personal Information Contraventions

The Court observed that: 

• In December 2021, ACL acquired Medlab Pathology Pty Ltd (Medlab) and from the date of acquisition had owned and controlled Medlab’s computer and communications hardware, computer and information technology systems, equipment, and software (Medlab IT Systems).

• In January 2022, ACL established a plan to integrate (or, if integration was not appropriate, decommission) the Medlab IT Systems into ACL's core IT environment by 30 June 2022, meaning the Medlab IT Systems would be kept separate from ACL’s IT environment for approximately six months. Prior to integration into ACL’s core IT environment, the Medlab IT Systems had cybersecurity deficiencies, for example:

  • the antivirus software deployed on Medlab computers was not capable of preventing certain malicious files from being written or run on those systems; 

  • Medlab computers utilised weak authentication measures;

  • they were subject to firewalls that could only log one hour of activity before the logs were deleted;

  • they had no form of file encryption;

  • the Medlab network server was running a legacy system of a Windows server that was not supported by Microsoft from 14 January 2020; and

  • the antivirus software deployed on the Medlab server did not prevent or detect a threat actor uploading data from the server to the internet.

• Between 19 December 2021 and 15 July 2022, ACL contravened section 13G(a) of the Privacy Act by failing to implement adequate cybersecurity controls to protect personal information held on the Medlab servers from unauthorised access, modification or disclosure, in breach of Australian Privacy Principle 11.1(b).

2. Assessment Contravention 

The Court found that: 

• ACL contravened section 26WH(2) of the Privacy Act by failing to carry out a reasonable and expeditious assessment within 30 days of 2 March 2022 to determine whether there were reasonable grounds to believe the Medlab Cyberattack amounted to an eligible data breach;

• the assessment conducted by the forensic investigator was inadequate as it only monitored three of at least 127 affected computers, did not investigate the threat actor’s attack traits, based its review on only one firewall log accessed four hours after the ransom demand was downloaded, and conducted only limited investigation of potential persistence mechanisms; and

• ACL was aware of the forensic investigator’s limited assessment scope, making it unreasonable to rely solely on that assessment.

3. Notification Contravention 

The Court found that: 

• having formed the view by 16 June 2022 that there were reasonable grounds to believe an eligible data breach had occurred, ACL contravened s 26WK(2) of the Privacy Act by failing to notify the Commissioner as soon as practicable; and

• the Court found it was practicable to have notified the Commissioner within two to three days of 16 June 2022. ACL did not provide the statement until 10 July 2022, a 24-day delay that constituted a breach.

Her Honour also applied the French Factors (discussed here) in her consideration of the appropriateness of the agreed penalty, acknowledging that there were several factors which reduced the penalty that was imposed, including ACL’s cooperation with the investigation undertaken by the Commissioner:

• ACL did not derive any financial gain or benefit from the contraventions ([130]).

• ACL had not previously been found by a court to have contravened the Act or engaged in similar conduct ([131]).

• The contraventions were not deliberate and did not arise from any deliberate misconduct by senior management ([132]).

• ACL had commenced a review of its cybersecurity controls prior to the incident, implemented staff cybersecurity training, and appointed a Chief Information Security Officer, demonstrating meaningful steps toward a culture of compliance ([133]).

• ACL cooperated with the Commissioner’s investigation, providing multiple written responses and approximately 12,000 documents ([134]).

• ACL made early admissions of the contraventions through a Statement of Agreed Facts and Admissions ([135]).

• ACL’s CEO issued a public apology following the data breach ([136]).

• The 223,000 contraventions arose from a single course of conduct, relevant to the totality principle ([137]).

Key takeaways 

The Australian Information Commissioner welcomed the Court’s orders, noting that the case underscores the need for all entities captured by the Privacy Act to remain alert to their obligations to protect and responsibly manage personal information.

Australia’s Privacy Commissioner similarly stressed that the decision serves as a clear warning to entities, particularly those in the healthcare sector, that serious lapses in safeguarding individuals’ personal and health information will have significant repercussions.

Echoing the sentiments of both Commissioners, we view this as a timely reminder for businesses, particularly those expanding operations or acquiring new IT systems, to be vigilant in maintaining robust privacy and security controls across all environments. This case also provides useful guidance to businesses on penalty calculation for regulatory action taken under the Privacy Act, which is helpfully consistent with the Court’s practices across other Australian regulatory penalty proceedings.