OAIC sues ACL for security failure
In November 2023, the Office of the Australian Information Commissioner (OAIC) announced the commencement of civil penalty proceedings against Australian Clinical Labs Limited (ACL), over a data breach that affected 223,000 Australians.
Proceedings were commenced only a week after the OAIC’s regulatory actions (in particular, its lack thereof) were criticised in Senate Estimates. This is only the second time the OAIC has used its civil penalty powers, granted in 2012. It’s also the first time the OAIC has taken action based on a failure of security (including delay in notifying of the breach). This should be an interesting one folks!
Background to OAIC Enforcement Action
ACL is an ASX-listed company, which acquired Medlab Pathology in 2021. Medlab Pathology collects millions of individual patients’ health information as well as other personal identifying and contact information to share test results and issue invoices. This also includes copies of Medicare cards and numbers.
ACL generated revenue of $995.6 million in the financial year ending June 2022.
MedLab Pathology had a data breach in February 2023, but only notified the Office of the Australian Information Commissioner (OAIC) on 10 July 2022, some five months after it occurred.
ACL disclosed the data breach to the ASX in late October 2022, stating that the information of around 223,000 individuals had been affected, including personal information, sensitive health information and credit card information.
The OAIC kicked off a Commissioner-initiated investigation into the data breach in December 2022. The proceedings are a result of that investigation.
In response to the news, ACL has said it will be “defending the [OAIC’s] claim and asserts that its cyber security systems are robust”.
What are the alleged breaches by ACL?
According to the OAIC’s statement, the OAIC believes that:
… from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988.
The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable.
In particular, the AIC alleges breaches of following provisions of the Privacy Act:
- APP 11 in failing to take reasonable steps to protect the personal information;
- Section 23WH(2) in failing to expeditiously assess whether there was an ‘eligible data breach’;
- Section 23WK(2) in failing to notify the OAIC as soon as ACL was reasonably aware of an eligible data breach.
The Commissioner states that these failures left ACL vulnerable to cyberattack. The OAIC said: As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.
The OAIC’s enforcement and penalty powers
Under section 13G of the Privacy Act, an organisation will be liable for a civil penalty if it does an act, or engages in a practice, that is a serious interference with the privacy of an individual.
However, under current legislation, the OAIC is unable to impose a civil penalty directly. For the penalty to apply, the OAIC must commence proceedings in the Federal Court, requesting that court to make a civil penalty order.
The Federal Court can impose a civil penalty of up to $2,220,000 for each contravention.
Following the Optus, Medibank and Latitude breaches last year, the Privacy Act was amended to, among other things, raise the maximum penalty amount. As of December 2022, the new maximum civil penalties for a serious and/or repeated interference are the greater of:
- $50 million; or
- if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit; or
- if a court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.
These new penalties will not be applicable to these proceedings.
What changes to the OAIC’s powers will be introduced?
In its response to the Privacy Act review report, the Australian Government agreed that section 13G of the Privacy Act, which deals with ‘serious or repeated’ breaches of privacy, should be amended to remove the word ‘repeated’ and clarify that a ‘serious’ interference can include repeated interferences with privacy (without those interferences necessarily being of themselves serious).
A new mid-tier civil penalty provision to cover interferences with privacy that do not meet the threshold of being ‘serious’ and a new low-level civil penalty provision for specific administrative breaches of the Privacy Act and APPs should be introduced. For these penalties, the OAIC will be empowered to issue infringement notices with set penalties.
OAIC’s use of powers
Although there is no doubt that increased penalty powers will encourage privacy compliance, the OAIC has not had a great track record in using the powers that it has been given.
In recent Senate Estimates Hearings, Greens Senator David Shoebridge noted that the OAIC had been notified of 1,748 data breaches in the last two financial years but “not a single penalty has been issued”. In response, the AIC said the office has worked to ensure the purpose of the notifiable data breaches scheme has been achieved, “which is that individuals are notified [so] that they can take steps to mitigate their risk”. She also confirmed that investigations had been undertaken but that ‘(t)hey’ve been resolved by means other than by penalties.’ Ms Falk also referred to current major major investigations underway, ‘which is a result of specific funding that has enabled that kind of regulatory activity and has been very welcome.’ This is a reference to the Optus data breach funding which was included as a specific allocation in the most recent budget.
It is also no doubt a recognition that the OAIC has not been funded or resourced to undertake investigations into complex data breach cases, or to take the action required to pursue penalties in those cases, where that might be justified.
The outcome of these proceedings, and the Optus, Medibank and Latitude Finance data breach investigations, and in particular whether any penalties will be sought, will be watched with interest.
The ACL proceedings will also be of immense importance as the first case in which the question of what are reasonable steps to secure personal information for the purposes of APP 11 has been judicially considered.