Australian data breaches cost serious money

A pathology business, Australian Clinical Labs was just hit with $5.8 million in civil penalties in relation to a data […]

| By

A pathology business, Australian Clinical Labs was just hit with $5.8 million in civil penalties in relation to a data breach in 2022. The breach compromised the personal information of 223,000 people.

These are the first civil penalties ordered under the Privacy Act 1988 (Cth). There will be more.

The Australian Information Commissioner warned companies they must remain vigilant in securing personal information.

‘These orders represent a notable deterrent’, she said. Got that right. Are you handling lots of customer data? Are you taking security seriously? If not, look out.

The Federal Court made orders imposing the following penalties:

  • $4.2 million for its failure to take reasonable steps to protect personal information
  • An additional penalty of $800,000 for its failure to carry out an ‘expeditious assessment’ of whether an eligible data breach had occurred.
  • And a further $800,000 for not promptly providing the government with a statement on the data breach.

Justice Halley said that:

  • ACL’s most senior management were involved in the decision making.
  • Contraventions resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems’
  • ‘ACL’s conduct ‘had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience.’
  • The contraventions ‘had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals.’

Interesting: the Judge said several factors reduced the penalty that was imposed. ‘ACL … cooperated with the investigation undertaken by the office of the Commissioner’, and that it had commenced ‘a program of works to uplift the company’s cybersecurity capabilities’. Also, they apologised and admitted liability.

Under the new regulations, maximum penalties per contravention can be as much as $50 million, three times the benefit derived from the conduct or up to the 30% of a business’s annual turnover per contravention. Yikes.

Here are the lessons:

  1. Take preemptive security seriously. Don’t just leave it to your I.T. guy; prepare your business. Get advice, get a plan, get an experienced Managed Services provider if you’re anything more than a one-man band.
  2. If something goes wrong, notify those whose data has been exposed and immediately notify the Office of the Australian Information Commissioner (OAIC). A failure to report = big penalties.
  3. Own it. Apologise. Admit liability.

Call us if you need advice or managed services. 9325 1196.

Related Posts

Scroll to Top