Patrick Gunning from King & Wood Mallesons reports that, on November 2, 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (i.e., a fine) in connection with the company’s response to a data breach that occurred in February 2022. The case is significant because: (1) it is only the second time that the Australian regulator has brought court proceedings of this kind despite having the power to do so since 2014; and (2) it signals the regulator’s priority in ensuring that cybersecurity incidents are responded to swiftly. The Australian legislature increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million. However, the maximum penalty available in this case will be A$2.2 million because the company’s conduct occurred prior to December 2022.
The Publicly Available Facts
Australian Clinical Labs Limited is listed on the Australian Securities Exchange and operates one of the largest pathology businesses in Australia. The information set out below is based on announcements by the company to the market and by the regulator.
The company acquired Medlab Pathology (“Medlab”) in December 2021.
In February 2022, Medlab became aware of unauthorized third-party access to its IT system, and undertook a forensic investigation led by independent external cyber experts. That investigation did not reveal any evidence that patient data had been exfiltrated.
In March 2022, the Australian Cyber Security Centre (the “ACSC”, an agency within the Australian federal government) contacted the company to advise that it had received intelligence that Medlab may have been the victim of a ransomware incident. The company responded to the ACSC and stated that, to its knowledge, the company did not believe that any data had been compromised.
In June 2022, the ACSC contacted the company again to advise that it believed that Medlab patient data had been posted on the dark web. The company took immediate steps to find and download the data set from the dark web and analyze it.
On July 10, 2022, the company notified the Office of the Australian Information Commissioner (“OAIC”) of the incident.
On October 27, 2022, the company announced to the Australian Securities Exchange that it had suffered a cyber security incident affecting its Medlab Pathology business and that based on its forensic analysis had determined that approximately 223,000 individuals had been affected. Within this figure, approximately 17,500 had medical and health records associated with a pathology test, approximately 28,000 had credit card details compromised and approximately 128,000 Medicare numbers were compromised.
On December 5, 2022, the OAIC announced that it had commenced an investigation into the personal information handling practices of Medlab Pathology in relation to its notifiable data breach.
Approximately 11 months later, proceedings were filed in the Federal Court of Australia.
The Allegations in the Case
The originating documents are not yet publicly available. The OAIC’s announcement of the filing of the proceedings says that the allegations are that:
- Between May 2021 (which is before the company had acquired Medlab) and September 2022, the company failed to take reasonable steps to protect the personal information of its patients from unauthorized access or disclosure, which left the company vulnerable to cyberattack. If made out, this would be a breach of Australian Privacy Principle 11.1.
- The company breached s26WH of the Privacy Act, which required the company to carry out a reasonable and expeditious assessment of whether a notifiable data breach has occurred, and to take all reasonable steps to ensure that the assessment is completed within 30 days.
- The company breached s26WK of the Privacy Act, which required the company to notify the OAIC of a notifiable data breach as soon as practicable after it became aware that there are reasonable grounds to believe that a notifiable data breach has occurred.
The company has said that it will be defending the claim and that it asserts that its cyber security systems are robust.
Initial Observations on the Allegations
Security measures. The question of the adequacy of the security measures implemented by the company will be a matter for expert evidence. The regulator has statutory powers to require the production of information and documents, and to interview witnesses on oath, when investigating. It is reasonable to assume that the regulator has utilized these powers to obtain evidence of the security measures in place during the relevant period and retained an expert to give an opinion on the adequacy of those measures. If the company is to defend the claim successfully, it will need to retain its own expert witness and, if agreement cannot be reached between the experts, the court will need to decide which opinion it accepts.
Investigation of the incident and notification of the regulator. The regulator’s case must be that the obligation to conduct an investigation was triggered in February 2022 and that the company should not have concluded that there was no risk of serious harm to individuals simply because the forensic investigation did not reveal evidence of exfiltration. This has been a theme that has emerged in periodic reports published by the OAIC in connection with data breaches that have been notified to the regulator. For example, in a report published in September 2023, the OAIC stated:
If an entity suspects a data breach has occurred but is unable to eliminate that suspicion quickly and confidently, the entity should consider proceeding on the presumption that there has been a data breach. Notification obligations are triggered once there are reasonable grounds to believe that an eligible data breach has occurred. Conclusive or positive evidence of unauthorized access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred.
The company is likely to argue that it satisfied its obligation to investigate in February 2022, and, in light of the findings of the forensic investigation, formed the opinion that a reasonable person would conclude that the incident was not likely to result in serious harm to individuals, so it did not notify the OAIC at that time. On this approach, the company is also likely to say that the obligation to investigate was re-enlivened in June 2022 when the ACSC told the company about the data that was available on the dark web, and that investigation was performed on a reasonable and expeditious basis and notified to the OAIC within the 30-day period.
Cyber risks in M&A. If the regulator wins its case that the security measures were inadequate from May 2021, the company may have a warranty claim against the sellers of the Medlab Pathology business (which was acquired in December 2021) depending on the warranties that were given and any agreed limitation periods for making warranty claims. The case is a real example of the importance of risk allocation in an M&A transaction for liability arising from latent information security vulnerabilities existing prior to completion of the transaction.
Class actions. The company also faces a risk of class actions. The Australian health insurer, Medibank Private Limited, suffered a large-scale data breach in October 2022. As a result, Medibank is facing a consumer class action (on behalf of individuals who suffered harm as a result of the incident) and a securities class action (on behalf of investors who claim that Medibank breached its continuous disclosure obligations as a listed company by failing to inform the market that its security measures were inadequate, and that class members purchased shares when they would not have if they had been informed about the true state of Medibank’s information security measures). Similarly, the Australian telecommunications company, Optus, suffered a large-scale data breach in September 2022 and is facing a consumer class action. There is no securities class action in Australia against Optus because the company is a subsidiary of Singapore Telecommunications Limited, which is listed in Singapore rather than Australia. No class action has been announced against Australian Clinical Labs at the time of writing. Potential funders are likely evaluating the economic viability of such a case, which would be much smaller in scale than in the actions against Medibank and Optus due to the smaller class size.