Privacy milestone: $5.8million penalty - first civil penalty under Privacy Act

On 8 October 2025, the Federal Court issued the first civil penalty under the Privacy Act 1988 (Cth) (Privacy Act). The $5.8 million penalty represents a step-change in the enforcement of privacy obligations in Australia and demonstrates that organisations who contravene the Privacy Act may be subject to substantial financial penalties.

The decision in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, also provides guidance to organisations about the steps which are expected to be taken to protect personal information, and how quickly organisations should investigate and notify the Australian Information Commissioner of eligible data breaches.

Key Takeaways

The case underscores the importance for Australian Privacy Principle (APP) regulated entities of ensuring that:

• measures taken by the entity to protect the personal information it holds (such as applied frameworks, audits, testing and training) are commensurate with:
  • the risk environment the entity operates in;
  • the volume and nature of the information the entity hold; and
  • the entity's size and resources;
• the entity considers security measures such as multifactor authentication, application whitelisting, appropriate anti-virus software, and system monitoring capabilities (including through firewalls);
• incident management processes are detailed and regularly tested;
• the entity is sufficiently skilled and equipped to promptly and properly comply with all aspects of the Privacy Act's Notifiable Data Breach scheme and staff receive training in relation to incident management processes;
• senior management of the entity exercises independent judgment with respect to the adequacy of any assessment of eligible data breaches, rather than simply relying on assessments by third party service providers; and
• data breach notifications are made promptly. In this case, the Court expected ACL to have made a notification within 2 to 3 days of having reasonable grounds to believe there had been an eligible data breach.

The case also highlights the need for entities acquiring businesses to:

• conduct thorough privacy and data security due diligence on target entities to identify deficiencies prior to an acquisition; and
• ensure any identified privacy and data security deficiencies are remediated either prior to, or promptly after, completion of the acquisition.

Background

In December 2021, ACL acquired the assets (including IT systems) of Medlab Pathology Pty Ltd (Medlab), an entity which collected and held personal information including health information, contact information and credit card details. ACL planned to integrate Medlab's IT systems with ACL's IT systems in the 6 months following completion of the acquisition.

The agreed facts reflect that there were cybersecurity deficiencies in Medlab's IT systems prior to integration into ACL's core IT environment, including:

• the deployed antivirus software was not capable of appropriately:
  • preventing malicious files being written/run; or
  • preventing or detecting data being uploaded from the server;
• weak authentication measures (including no multifactor authentication to access the systems via VPN);
• the deployed firewalls only logging 1 hour of activity at a time prior to deletion;
• the lack of file encryption; and
• the network server running a legacy system that was no longer supported.

(Recognised IT Deficiencies).

The Court noted that ACL had failed to identify a number of these deficiencies as part of its pre-acquisition due diligence.

On, or shortly prior to, 25 February 2022, a cyberattack involving the use of malware was initiated against the Medlab systems by a threat actor known as "the Quantum Group" (Cyberattack).

An ACL employee first became aware of the Cyberattack on 25 February 2022, and on the same day ACL engaged a third-party cybersecurity service provider, StickmanCyber, to investigate and advise upon the Cyberattack.

ACL's initial response to the Cyberattack was heavily reliant upon StickmanCyber and was led internally by an employee who had no cyberattack response training and was not familiar with ACL's malware and ransomware playbooks. StickmanCyber undertook a limited investigation which in essence concluded the there was no evidence that data had been exfiltrated and the Cyberattack "did not cause harm to any individual". Based on StickmanCyber's analysis, ACL took the view that the Cyberattack was not an eligible data breach notifiable under the Privacy Act.

On 25 March 2022, the Australian Cyber Security Centre (ACSC) notified ACL that it had received intelligence suggesting that Medlab may have been subject to a ransomware incident, and reminded ACL that it may be required to notify the Commissioner and affected individuals. ACL responded to the ACSC by stating it did not believe that any data had been exfiltrated. On 16 June 2022, the ACSC notified ACL that 86 gigabytes of data (including sensitive health information and other personal information of over 223,000 individuals) had been published on the dark web.

It was not until 10 July 2022 that ACL officially notified the Commissioner of the eligible data breach.

Key findings

Reasonable steps to protect personal information.

The Court found ACL failed to take steps which were reasonable in the circumstances to protect personal information from unauthorised access, modification or disclosure (as required under APP 11.1(b). In arriving at this finding the Court considered the following factors (amongst others) the:

• size and nature of the business;
• volume and sensitivity of the information;
• level of cybersecurity risks facing ACL;
• risk of harm to affected individuals posed by unauthorised access/disclosure;
• extent and nature of the Recognised IT Deficiencies;
• delay in identifying the Recognised IT Deficiencies (including ACL's failure to identify the Recognised IT Deficiencies prior to the acquisition of Medlab);
• overreliance on third party service providers; and
• lack of adequate procedures to detect and respond independently to cyber incidents, including:
  • the ACL cyber incident playbook did not clearly define roles and responsibilities, contained limited detail on containment processes and steps to mitigate exfiltration of data, and recommended steps for technologies which were not used within the Medlab systems;
  • inadequate testing of the incident management processes; and
  • inadequate training, as the Medlab IT team leader had not received training on the ACL cyber incident playbooks, or in incident response generally.

Reasonable and expeditious assessment

The Court found that by the date StickmanCyber provided its report to ACL, ACL was aware of reasonable grounds to suspect an eligible data breach had occurred, triggering the obligation to conduct the reasonable and expeditious assessment (as under s 26WH of the Privacy Act).

ACL was found to have failed to carry out a reasonable and expeditious assessment of whether there were reasonable grounds to believe an eligible data breach had occurred because:

• StickmanCyber's assessment was inadequate as (amongst other things) it:
  • monitored less than 3% of the affected computers;
  • did not investigate the Quantum Group's attack patterns and behaviour to determine the likelihood of exfiltration;
  • based its review solely on firewall logs (which could only log 1 hour's activity at a time prior to deletion and were only reviewed 4 hours after the ransom demand was first downloaded); and
  • conducted only a limited investigation of whether a persistence mechanism was established to enable Quantum Group's connection to Medlab's IT systems; and
• ACL was aware of the limitations of StickmanCyber's assessment, and so it was unreasonable to rely solely on the report.

Notification as soon as practicable

The Court found that by at least the date of the second notification from the ACSC (on 16 June 2022), ACL had reasonable grounds to believe there had been an eligible data breach, thereby triggering the obligations under section 26WK to notify the Commissioner of the prescribed matters as soon as practicable.

The Court held that the within 2-3 days from the point the obligation was triggered (as opposed to 24 days which was the period taken to notify the Commissioner). In this regard, the Court noted that the information required to be included in a notification is not particularly onerous and is intended to facilitate the provision of notifications as soon as practicable after an entity becomes aware of reasonable grounds to believe there has been an eligible data breach. Determination of penalties.

Prior to the decision, ACL and the Commissioner had submitted an agreed penalty of $5.8 million for consideration by the Court.

Justice Halley deemed that ACL's payment of $5.8 million in aggregate penalties was appropriate. of the penalty comprised:

• $4.2 million for the "Personal Information Contraventions" (with respect to the breaches of APP 11.1(b));
• $800,000 for the "Assessment Contravention" (with respect to the breach of s 26WH); and
• $800,000 for the "Notification Contravention" (with respect to the breach of 26WK).

ACL was also ordered to pay $400,000 towards the Commissioner's costs in the proceedings.

Justice Halley deemed the agreed aggregate penalty of $5.8 million was appropriate in the circumstances when balancing:

• the following aggravating factors:
  • the contraventions, and particularly that the Recognised IT Deficiencies exposed Medlab's IT systems to the risk of a cyberattack for 6 months, were "extensive and significant" and resulted from a failure to take sufficient care/diligence;
  • the contraventions had the potential to cause significant harm to affected individuals given the nature of the information posted on the dark web;
  • the potential negative impact on the public's trust in the APP entities which hold their personal information;
  • the need for personal deterrence noting ACL's size; and
  • ACL's senior management were involved in the decision making with respect to Medlab's IT systems and the response to the Cyberattack; and
• the following mitigating factors:
  • ACL had taken various measures both prior to, and after, the Cyberattack to uplift its cybersecurity capabilities (including implementing companywide training, appointing an experienced and credentialled Chief Information Security Officer), demonstrating it was taking meaningful steps to develop a satisfactory culture of compliance;
  • ACL cooperated with the investigation and had admitted to various contraventions; and
  • ACL's CEO apologised that the Cyberattack occurred by way of an ASX announcement in October 2022.

For guidance on your organisation's obligations under the Privacy Act, please contact our Digital Economy Partners Matthew McMillan and Margaret Gigliotti.