Does ACL data breach penalty represent a shift in privacy law enforcement?

On 8 October, the Federal Court ordered that Australian Clinical Labs (ACL) pay the penalty in relation to a data breach by its Medlab Pathology business in February 2022.

The majority ($4.2 million) is for failing to take reasonable steps to protect the data.

This is a reflection on the powers of the Office of the Australian Information Commissioner (OAIC), which is presently conducting two more civil penalty proceedings over 2022 breaches of customer data. Especially with Optus under scrutiny, and the ability to launch fast, major cybersecurity scams through foreign “scam factories” or powered by AI and data centres, there is even more onus on companies to firm up their cybersecurity audits, monitoring, and reporting internally and to customers on the measures they’re taking.

The Federal Court has made orders imposing the following penalties:

• a penalty of $4.2 million for ACL’s failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems under Australian Privacy Principle 11.1, which amounted to more than to 223,000 contraventions of s 13G(a) of the Privacy Act;
• a penalty of $800,000 for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT systems in February 2022, in contravention of s 26WH(2) of the Privacy Act; and
• a penalty of $800,000 for ACL’s failures to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of s 26WK(2) of the Privacy Act.

Justice John Halley said in his judgment that “ACL’s contraventions … resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems”.

The penalty could have been greater, but the maximum penalty of $2.22 million per contravention applied to the period of the contraventions meant the new maximum penalties (valid as of 13 December 2022) were not applied. Further, Justice Halley found that “ACL … cooperated with the investigation undertaken by the office of the Commissioner”, and that it had initiated “a program of works to uplift the company’s cybersecurity capabilities”.

ACL admitted the contraventions, consented to orders being made and the parties made joint submissions on liability and penalty.

Under the present regime, maximum penalties extend to $50 million per contravention, three times the benefit derived from the conduct, or up to the 30 per cent of a business’s annual turnover per contravention.

In a statement, Privacy Commissioner Carly Kind said, “Today’s outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament. This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”

Melissa Tan is a partner at Lander & Rogers. She believes the judgment is important because it demonstrates the OAIC’s commitment to flexing its enforcement arm for breaches of the Privacy Act.

“Following an investigation or privacy complaint, besides applying to the court for a civil penalty order for a breach of a civil penalty provision, the OAIC is also able to issue an infringement notice, accept an enforceable undertaking, or make a determination. The key difference is that the OAIC will not seek a civil penalty order in all matters involving serious and/or repeated interferences with privacy. The OAIC will not start civil penalty proceedings unless it is satisfied that litigation is the most suitable method of dispute resolution, there are reasonable grounds for starting the litigation and the available evidence is sufficient.”

Tan reminds LSJ Online that: “Prior to the ACL case, the OAIC’s first enforcement proceedings were commenced against Meta Platforms, Inc. (Meta), where personal information of Australian Facebook users was disclosed to the This is Your Digital Life app in breach of the Privacy Act and exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes. That case, however, did not result in civil penalties because the OAIC and Meta ultimately settled the matter agreeing to a $50 million payment program as part of an enforceable undertaking provided by Meta.”

Optus faces civil penalty for 2022 breach

On 8 August, the Australian Information Commissioner (AIC) filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022. LSJ Online covered the breach at the time, which affected millions of former, current and prospective Optus customers. The AIC alleges that “Optus seriously interfered with the privacy of approximately 9.5 million Australians by failing to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, in breach of the Privacy Act 1988.”

Ultimately, Optus failed in its duty to install and maintain cybersecurity and information security measures proportionate to the quantity and personal nature of information Optus held and its inherent risk profile as a major telecommunications provider.

The AIC has course to apply to the Federal Court for a civil penalty order where an entity is alleged to have contravened section 13G of the Privacy Act through engaging in serious or repeated interferences with privacy.

The Federal Court can impose a civil penalty of up to $2.22 million for each contravention. The AIC alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with. Optus faces a significant penalty, preceded by the ACL case that indicates the Federal Court is a tiger with teeth. Since December 2022, civil penalties have increased up to $50 million. However, the alleged contraventions occurred from 17 October 2019 to 20 September 2022, so the civil case itself, let alone the amount, are in the court’s hands.

The AIC Commissioner, Elizabeth Tydd, shared a statement: ““The commencement of these proceedings confirms that the OAIC will take the action necessary to uphold the rights of the Australian community.”

She added: “Organisations hold personal information within legal requirements and based upon trust. The Australian community should have confidence that organisations will act accordingly, and if they don’t the OAIC as regulator will act to secure those rights.”

Companies should be focusing on both the technology and human aspects of cyber risk management

Tan says, “In terms of technology, there are some fundamental basic steps that can be put in place easily, like the Essential Eight, including regular backups and having MFA (multi-factor authentication) in place. Having a 24/7 SOC (security operations centre) and engaging vendors that have the technical capability to proactively monitor and detect threats and triage those matters in real-time is also important because the issue is that sometimes these threats are not detected quick enough and by the time it is discovered, it’s too late.

“If the human error element can be minimised, and a “human firewall” created to ensure an active collective layer of defence against cyber threats, in addition to technological safeguards, we will likely be able to reduce the success of these cyberattacks significantly.”