$6M Data Breach Fine is Australia's First Civil Penalty Under 1988 Privacy Act
In the first civil penalties under Australia’s Privacy Act 1988, pathology provider Australian Clinical Labs (ACL) must pay $5.8 million ($3.9 million U.S.) in penalties as a result of a 2022 data breach, announced the Federal Court on Wednesday. During the breach, the personal information of more than 223,000 individuals was accessed and exfiltrated by an unauthorized actor.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Elizabeth Tydd, Australian information commissioner, said the fine provided “an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold.”
“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately,” she added.
The fine was based on “ACL's failure to take reasonable steps to protect the personal information” held on IT systems, the “failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack” and failure to quickly notify the information commissioner about the data breach, the release said.
However, Justice John Allaster Halley said ACL’s cooperation during the investigation and subsequent attempts to enhance the cybersecurity capabilities of the company reduced the penalty.
Privacy Commissioner Carly Kind said the order is “an important turning point in the enforcement of privacy law in Australia.”
“For the first time, a regulated entity has been subject to civil penalties under the Privacy Act” which “should serve as a vivid reminder to entities,” especially in the healthcare system, “that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”
ACL did not immediately respond to a request for comment.