Australia’s First Civil Penalty For Privacy Act Breach: ACL To Pay $5.8 Million

Last week, the federal court ordered that Australian Clinical Labs Limited (ACL) pay a $5.8 million penalty for a 2022 data breach. This is significant for a number of reasons, not just because it’s the first civil penalty for a breach of the Privacy Act. 

The data breach impacted 223,000 individuals, meaning the penalty amounted to just over $26 per person. While some commentators are pleased to see the powers under the Privacy Act being used this way,  others are concerned that this penalty isn’t large enough in the circumstances. We dig into what happened, what factors were considered in determining the penalty, and what Australian organisations should take away from this case. 

Background 

In November 2023, the OAIC commenced civil penalty proceedings against ACL following a data breach that affected 223,000 Australians. The enforcement action is the first to be based on a failure of security, including delay in notification. 

The penalty proceedings were in response to ACL’s subsidiary experiencing a breach in February 2022, but only notified to the OAIC on 10 July 2022, five months later. 

In November 2023, the OAIC initiated proceedings in the Federal Court, alleging specific breaches of the Privacy Act, including:

• breach of APP 11 for failing to take reasonable steps to protect information and
• failure to conduct a reasonable assessment of whether an eligible data breach had occurred, and
• failure to promptly notify of an eligible data breach (as required by the Mandatory Data Breach Notification Scheme included in the Privacy Act). 

You can read more about the background of this data breach in our earlier post. 

At this earlier stage, ACL and the OAIC negotiated an agreed outcome to the processings, with ACL consenting to the findings of breach and the imposition of the aggregate civil penalty sought by the Commissioner. However, the Federal Court still had to determine whether the declarations and penalty orders were appropriate and sufficient for the purposes of both specific and general deterrence given the serious nature of the contraventions by ACL.  This the Court did, issuing its findings in October 2025.

Agreed Deficiencies in ACL’s Cybersecurity Mechanisms

This is the first case in Australia where proceedings considered what reasonable steps to secure personal information for the purposes of APP 11 looked like.

The consideration of whether or not reasonable steps had been taken was made easier by ACL admitting to significant cyber security failures.

In an Agreed Statement of Facts, ACL acknowledged that its cybersecurity mechanisms were lacking because: 

• Its playbooks did not clearly define roles or responsibilities for incident response efforts; 
• There was inadequate testing of incident management processes; 
• Data Loss Prevention was not used on the Medlab IT Systems after ACL acquired it; 
• Adequate tooling/products were not used; 
• No whitelisting application was implemented; 
• Communications plans were limited;
• The Medlab IT leaders had not received sufficient training; 
• Security monitoring was limited due to the firewall logs being deleted after one hour; 
• Data recovery plans had not been developed; and 
• Medlab did not require its staff to use multifactor authentication.

These agreed stated deficiencies can act as a foundation for your formal checklist, especially if you operate in the healthcare space or otherwise collect sensitive information from your customers. 

It is also worth noting that, in considering what is reasonable, the court considered the following factors:

• the size and nature of the business of ACL;
• the volume and sensitivity of the information;
• the high cybersecurity risks facing ACL  and the risk of harm to individuals if their health and other personal information held by ACL on the Medlab IT Systems was accessed and disclosed without authorisation, 
• the Medlab IT Systems Deficiencies, ACL’s failure to identify the Medlab IT Systems Deficiencies prior to their acquisition, and the delay in ACL identifying the Medlab IT Systems Deficiencies, and
• the overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents.

Australia’s First Civil Penalty Amount for Privacy Act Breach

The $5.8 million ACL was ordered to pay is made up as follows: 

• $4.2 million for its failure to take reasonable steps to protect the personal information it held, under APP 11.1; 
• $800,000 for failing to carry out a reasonable and expeditious assessment of whether a data breach had occurred, in contravention of s 26WH(2) of the Privacy Act; and 
• A further $800,000 for its failures to promptly prepare a statement about the data breach, and give it to the Australian Information Commissioner, in contravention of s 26WK(2) of the Privacy Act. 

ACL was also ordered to pay a further  $400,000 as a contribution towards the Commissioner’s costs in the proceeding.

Worth noting is that this penalty was imposed under the previous penalty regime – since the breach occurred prior to 13 December 2022. 

The current penalty regime allows for much higher penalties for serious data breaches – as much as $50 million, or three times of the benefit derived from the conduct, or up to 30% of a business’s annual turnover. These penalties are also per contravention, which means that they can add up very quickly if the maximum penalty is imposed. Though, we don’t expect to see those maximums per contravention often, if at all. 

Factors Contributing to the Penalty Being Imposed

Under the Privacy Act, penalties can only be awarded for serious or repeated infringements.  There is no definition of ‘serious’ in the Privacy Act.  The judge referred to  the ASIC Act and the Corporations Act, where a “serious contravention” has been construed as a contravention that is “grave or significant” or “weighty, important, grave and considerable”, and acknowledged that, ‘in every case, it is ultimately a question of fact to be determined by reference to the degree of the departure from the requisite standard of care and diligence and the nature of the conduct, rather than the nature of the provision that has been contravened.’

In this case, the judge found that the infringements were serious, Some of the  factors that contributed to the finding that the breach was serious, included:

• ACL’s deficient cybersecurity controls were extensive and significant..
• The contraventions had the potential to cause significant harm to 223,000 individuals.
• The breaches also had the potential to damage public trust in entities that hold sensitive information.
• ACL’s considerable size, with hundreds of millions in revenue and profit, is a relevant factor for the purpose of personal deterrence.
• ACL’s most senior management was directly involved in decisions regarding the integration of Medlab’s IT Systems and the company’s response to the resulting cyberattack.

 

The judgement acknowledges that the above factors may make it seem that a $5.8 million penalty is not adequate – a sentiment that has been reflected in some commentary about the case, especially on social media. 

However, the judge goes on to note the following factors that made the $5.8 million penalty appropriate (ie. positive factors for ACL): 

• ACL did not gain any financial benefit from the contraventions.
• ACL has no previous court findings of contravening the Act or similar conduct.
• The contraventions did not appear to be deliberate or the result of deliberate misconduct by senior management.
• ACL initiated a cybersecurity review before the attack, approving an uplift program, implementing employee training, and appointing an experienced Chief Information Security Officer.
• ACL cooperated with the Commissioner’s investigation, providing extensive documentation and written responses.
• ACL formally admitted the contraventions after the proceeding began by filing a Statement of Agreed Facts and Admissions.
• The CEO of ACL publicly apologized for the Medlab Cyberattack in an ASX announcement.

Key Takeaways for Australian Organisations

There are several important takeaways from this first civil penalty proceeding: 

1. While $5.8 million isn’t as severe a penalty as we’ve seen in European enforcement, it is still a significant penalty for a data breach. Given that the current penalty regime in Australia lends itself to steeper penalties, this does signal a new era in Australian privacy. Organisations should factor this penalty into risk matrices when making decisions about privacy implementation.
2. The level of cybersecurity protections you have in place must be proportionate to the volume and sensitivity of the personal information you collect and store. Also, if you don’t require your team to use multifactor authentication to access sensitive information, be warned that penalties may come your way in the event of a data breach. Its powerful security benefits are well worth the minor technical effort of implementation.
3. Your incident response plan must be prompt, tested, and clearly communicated, and it must have adequate roles and accountabilities outlined. $1.6 million of this penalty related to the way ACL handled the data breach and surrounding communications. While cybersecurity incidents can be unpredictable, the response and communications elements of a data breach are well within your control. 
4. Retaining a third party to provide advice may not help if that third party is not appropriately skilled – not just with understanding data breach reporting obligations but in undertaking a proper and detailed forensic analysis.
5. You must do cyber due diligence of part of any acquisition or merger. ACL’s failure to properly understand the cyber security risks in the systems operated by Medlab, its acquisition, and to implement a plan to remediate those risks contributed to the ‘serious’ nature of the breach.

If you need help improving your organisation’s privacy posture, reach out. Our privacy professionals are available to help. Start with a free consultation.