The Australian Information Commissioner has commenced civil penalty proceedings against Australian Clinical Labs Limited in the Federal Court
November 20, 2023 |
After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office. Previously the Commissioner has been represented by HWL Ebsworth. Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs. GIlbert & Tobin represented RI Advice in the Federal Court case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A. While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level. Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and the Federal Trade Commission the penalties are minor.
MedLab Pathology had a data breach in February 2022, It notified the Commissioner on 10 July 2022 , five months later. ACL disclosed the breach to the ASX in late October 2022, stating that the information of around 223,000 individuals had been affected. In December 2022 that resulted in a Commissioner-initiated investigation into the data breach.
The Commissioner’s statement provides:
The Australian Information Commissioner has commenced civil penalty proceedings in the Federal Court against Australian Clinical Labs Limited (ACL) resulting from an investigation of its privacy practices. The investigation arose as a result of a February 2022 data breach of ACL’s Medlab Pathology business that was notified to the Office of the Australian Information Commissioner (OAIC) on 10 July 2022. The OAIC’s investigation commenced in December 2022.
The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988. The Commissioner alleges that these failures left ACL vulnerable to cyberattack.
ACL’s business centrally involves collecting and holding millions of individual patients’ health information. ACL collects other personal information from patients in order to provide test results and issue invoices, such as personal identifying and contact information, and copies of Medicare cards and numbers. ACL generated revenue of $995.6 million in the financial year ending June 2022.
The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable. These are steps it was required to take under Part IIIC of the Privacy Act.
The Commissioner alleges that ACL contravened section 13G of the Privacy Act by reason of the following:
-
- breaches of Australian Privacy Principle (APP) 11.1(b), which requires an APP entity to take such steps as are reasonable in the circumstances to protect personal information it holds from unauthorised access
- contravention of section 26WH(2), which requires an APP entity to carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach and to take all reasonable steps to ensure that the assessment is completed within 30 days
- contravention of section 26WK(2), which requires an APP entity to notify the Australian Information Commissioner of an eligible data breach as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.
The February 2022 data breach resulted in the unauthorised access and exfiltration of personal information, sensitive health information and credit card information of in excess of 100,000 individuals.
“Organisations are responsible for protecting the information they hold, including effectively managing cyber security risk,” Australian Information Commissioner Angelene Falk said.
“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.
“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.
“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.
“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime,” said Commissioner Falk.
Background
The Privacy Act includes 13 legally binding Australian Privacy Principles (APPs). The APPs apply to organisations and government agencies covered by the Privacy Act (APP entities).
Under section 13G of the Privacy Act, an APP entity will be liable for a civil penalty if it does an act, or engages in a practice, that is a serious interference with the privacy of an individual.
The Australian Information Commissioner may apply to the Federal Court for a civil penalty order alleging that an APP entity has engaged in serious and/or repeated interferences with privacy in contravention of section 13G. Under current legislation, the OAIC is unable to impose a penalty. Rather, the OAIC must lodge proceedings in the Federal Court.
The Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from May 2021 to September 2022). Whether a civil penalty order is made and the amount are matters before the court.
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced in December 2022, increased the maximum civil penalties for a serious and/or repeated interference with privacy for a body corporate to an amount not more than the greater of:
-
- $50 million
- if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit
- if a court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.
These new penalties will not be applicable to the Australian Information Commissioner’s proceedings against ACL given the alleged conduct occurred before the commencement of the updated penalty provisions.
The OAIC commenced a Commissioner-initiated investigation into ACL in relation to its data breach in December 2022.
In its response to the Privacy Act review report, the Australian Government agreed that section 13G of the Privacy Act, which deals with ‘serious or repeated’ breaches of privacy, should be amended to remove the word ‘repeated’ and clarify that a ‘serious’ interference can include repeated interferences with privacy.
The Australian Government also agreed that a new mid-tier civil penalty provision should be introduced to cover interferences with privacy that do not meet the threshold of being ‘serious’ and a new low-level civil penalty provision for specific administrative breaches of the Privacy Act and APPs should be introduced with attached infringement notice powers for the OAIC with set penalties.
This proceeding may be influential if it runs to judgment. It will be the first case where where the Court will consider what constitutes reasonable steps to secure personal information under APP 11. ACL has stated it has robust data security. In my experience, involving 2 cases where the Commissioner was a party, the Commissioner has not been as successful as one would have hoped. But each case is different. It is heartening that the Commissioner has decided to take some action.
The case has been reported in InnocationAUS with OAIC takes pathology company to court over data breach and provides:
Australia’s privacy watchdog is taking Australian Clinical Labs to court over a data breach that exposed the personal information of 223,000 Australians, a week after its regulatory actions were criticised in Senate Estimates.
The ASX-listed company, which owns Medlab Pathology, is alleged to have “seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act 1988” between May 2021 and September 2022.
The firm collects millions of individual patients’ health information as well as other personal identifying and contact information to share test results and issue invoices. This also includes copies of Medicare cards and numbers.
Federal Court proceedings follow an investigation into ACL’s privacy practices. The investigation, which began in December 2022, was initiated after ACL’s Medlab Pathology business disclosed a February 2022 data breach.If found guilty, Australian Clinical Labs (ACL) may be liable to pay up to $2.22 million in penalties for each contravention of the Privacy Act identified by the court.
ACL has said it will be “defending the [Australian Information Commissioner’s] claim and asserts that its cyber security systems are robust”.
The data breach “resulted in the unauthorised access and exfiltration of personal information, sensitive health information and credit card information of in excess of 100,000 individuals”, according to the OAIC.The Office of the Australian Information Commissioner (OAIC) was notified of the February 2022 data breach in mid-July 2022. It disclosed the data breach to the ASX in late October 2022, stating that around 223,000 individuals had been affected.
“The Commissioner also alleges that following the data breach, ACL failed to carry out a reasonable assessment of whether it amounted to an eligible data breach and then failed to notify the Commissioner as soon as practicable,” the OAIC’s statement adds
The Notifiable Data Breach scheme requires organisations covered by the Privacy Act to notify affected individuals and the OAIC “when a data breach is likely to result in serious harm to an individual whose personal information is involved”, according to the regulator.
The OAIC alleges that ACL contravened section 13G of the Privacy Act, which outlines what constitutes an interference with the privacy of an individual.
New maximum civil penalties introduced at the end of last year for breaches of the Privacy Act do not apply since the period of the alleged breach was prior to the commencement of the changes.
In a statement, Australian Information Commissioner Angelene Falk said “organisations are responsible for protecting the information they hold, including effectively managing cyber security risk”.
“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.”
“When a data breach occurs, organisations are responsible for notifying the OAIC and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.
“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web.
“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”
The civil proceedings come a week after Ms Falk was pressed during Senate estimates on perceived delays in its investigations of data breaches and the issuance of penalties.
Last Monday, Greens Senator David Shoebridge noted that the OAIC had been notified of 1,748 data breaches in the last two financial years but “not a single penalty has been issued”.
In response, Ms Falk said the office has worked to ensure the purpose of the notifiable data breaches scheme has been achieved, “which is that individuals are notified [so] that they can take steps to mitigate their risk”.
“We have had investigations running. They’ve been resolved by means other than by penalties. And I’ve said that we’ve got major investigations running now, which is a result of specific funding that has enabled that kind of regulatory activity and has been very welcome,” Ms Falk added.
Mr Shoebridge also asked what had gone wrong for OAIC not to have issued a penalty in the last two financial years, to which Ms Falk responded: “It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances”.