Login
iscover
Emma PartisShare this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Australian Clinical Labs’ $5.8 million fine for failing to protect customers’ personal information is a stark reminder of Privacy Act obligations.
Earlier this month (8 October), pathology business Australian Clinical Labs (ACL) was issued a $5.8 million fine for failing to take reasonable steps to protect customer data, following a breach that saw personal information of over 223,000 customers leaked to the dark web.
It was the first civil penalty issued under Australia’s amended Privacy Act, which was updated in 2024 to significantly expand penalties, enforcement and investigative powers targeting companies that mismanaged customers’ personal data.
BDO forensic services partner Conor McGarrity said the penalty against ACL was a “warning shot”, showing that businesses would need to take a proactive approach to data privacy.
“The regulator is no longer satisfied with promises of improvement or reactive measures. The expectation now is proactive compliance, with data privacy embedded across every part of the organisation,” he said.
In this case, the court determined that ACL had failed to take “reasonable steps” to protect its customers’ data and also failed to adequately assess and notify authorities of the data breach stemming from a cyber attack in 2022.
The attack resulted in the personal details of over 223,000 customers being published on the dark web, including passport numbers and health information.
Businesses that failed to comply with the new privacy rules could face penalties of up to $50 million, or three times the value of the benefit obtained by mishandling personal data.
BDO’s McGarrity warned that the updated Privacy Act would affect any businesses that held sensitive customer data, including the professional services sector.
“Retail, finance, health, technology, professional services – it’s universal. Boards and executives must understand that privacy obligations now sit alongside financial and operational risk. Those who don’t move quickly risk severe reputational and financial damage,” he said.
In determining ACL’s penalty, the court considered what would count as “reasonable steps” to protect customer information.
Influencing factors included the volume and sensitivity of personal information, the potential harm to individuals if such information was disclosed, the size and sophistication of the business, its cyber security environment and any prior cyber attacks made against the business.
In the case of ACL, the court determined that the nature of the information posted to the dark web had the potential to cause “significant harm” to affected customers, including “financial harm, distress or psychological harms, and material inconvenience”.
The court added that ACL was one of Australia’s largest private hospital pathology businesses at the time of the data breach, and its contraventions had the potential to impact public trust in entities holding their private and sensitive information.
BDO noted that the Privacy Act reforms had ‘fundamentally’ altered the risk landscape for all organisations handling personal information. Businesses that failed to take proactive steps to identify, store or remove customer data appropriately could face steep penalties, it warned.
“The regulator is now scrutinising whether data is still necessary to retain and whether adequate safeguards are in place,” McGarrity said.
“Businesses can no longer justify keeping data ‘just in case’. They must be able to prove why they hold it and how it’s protected.”
Be the first to hear the latest developments in the cyber industry.
