Patrick Gunning from King & Wood Mallesons reports that, on November 2, 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (i.e., a fine) in connection with the company’s response to a data breach that occurred in February 2022. The case is significant because: (1) it is only the second time that the Australian regulator has brought court proceedings of this kind despite having the power to do so since 2014; and (2) it signals the regulator’s priority in ensuring that cybersecurity incidents are responded to swiftly. The Australian legislature increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million. However, the maximum penalty available in this case will be A$2.2 million because the company’s conduct occurred prior to December 2022.
The Publicly Available Facts
Australian Clinical Labs Limited is listed on the Australian Securities Exchange and operates one of the largest pathology businesses in Australia. The information set out below is based on announcements by the company to the market and by the regulator.
The company acquired Medlab Pathology (“Medlab”) in December 2021.
In February 2022, Medlab became aware of unauthorized third-party access to its IT system, and undertook a forensic investigation led by independent external cyber experts. That investigation did not reveal any evidence that patient data had been exfiltrated.
In March 2022, the Australian Cyber Security Centre (the “ACSC”, an agency within the Australian federal government) contacted the company to advise that it had received intelligence that Medlab may have been the victim of a ransomware incident. The company responded to the ACSC and stated that, to its knowledge, the company did not believe that any data had been compromised.
In June 2022, the ACSC contacted the company again to advise that it believed that Medlab patient data had been posted on the dark web. The company took immediate steps to find and download the data set from the dark web and analyze it.
On July 10, 2022, the company notified the Office of the Australian Information Commissioner (“OAIC”) of the incident.
On October 27, 2022, the company announced to the Australian Securities Exchange that it had suffered a cyber security incident affecting its Medlab Pathology business and that based on its forensic analysis had determined that approximately 223,000 individuals had been affected. Within this figure, approximately 17,500 had medical and health records associated with a pathology test, approximately 28,000 had credit card details compromised and approximately 128,000 Medicare numbers were compromised.
On December 5, 2022, the OAIC announced that it had commenced an investigation into the personal information handling practices of Medlab Pathology in relation to its notifiable data breach.
Approximately 11 months later, proceedings were filed in the Federal Court of Australia.
The Allegations in the Case
The originating documents are not yet publicly available. The OAIC’s announcement of the filing of the proceedings says that the allegations are that:
- Between May 2021 (which is before the company had acquired Medlab) and September 2022, the company failed to take reasonable steps to protect the personal information of its patients from unauthorized access or disclosure, which left the company vulnerable to cyberattack. If made out, this would be a breach of Australian Privacy Principle 11.1.
- The company breached s26WH of the Privacy Act, which required the company to carry out a reasonable and expeditious assessment of whether a notifiable data breach has occurred, and to take all reasonable steps to ensure that the assessment is completed within 30 days.
- The company breached s26WK of the Privacy Act, which required the company to notify the OAIC of a notifiable data breach as soon as practicable after it became aware that there are reasonable grounds to believe that a notifiable data breach has occurred.
The company has said that it will be defending the claim and that it asserts that its cyber security systems are robust.
Initial Observations on the Allegations
Security measures. The question of the adequacy of the security measures implemented by the company will be a matter for expert evidence. The regulator has statutory powers to require the production of information and documents, and to interview witnesses on oath, when investigating. It is reasonable to assume that the regulator has utilized these powers to obtain evidence of the security measures in place during the relevant period and retained an expert to give an opinion on the adequacy of those measures. If the company is to defend the claim successfully, it will need to retain its own expert witness and, if agreement cannot be reached between the experts, the court will need to decide which opinion it accepts.
Investigation of the incident and notification of the regulator. The regulator’s case must be that the obligation to conduct an investigation was triggered in February 2022 and that the company should not have concluded that there was no risk of serious harm to individuals simply because the forensic investigation did not reveal evidence of exfiltration. This has been a theme that has emerged in periodic reports published by the OAIC in connection with data breaches that have been notified to the regulator. For example, in a report published in September 2023, the OAIC stated:
If an entity suspects a data breach has occurred but is unable to eliminate that suspicion quickly and confidently, the entity should consider proceeding on the presumption that there has been a data breach. Notification obligations are triggered once there are reasonable grounds to believe that an eligible data breach has occurred. Conclusive or positive evidence of unauthorized access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred.
The company is likely to argue that it satisfied its obligation to investigate in February 2022, and, in light of the findings of the forensic investigation, formed the opinion that a reasonable person would conclude that the incident was not likely to result in serious harm to individuals, so it did not notify the OAIC at that time. On this approach, the company is also likely to say that the obligation to investigate was re-enlivened in June 2022 when the ACSC told the company about the data that was available on the dark web, and that investigation was performed on a reasonable and expeditious basis and notified to the OAIC within the 30-day period.
Collateral Issues
Cyber risks in M&A. If the regulator wins its case that the security measures were inadequate from May 2021, the company may have a warranty claim against the sellers of the Medlab Pathology business (which was acquired in December 2021) depending on the warranties that were given and any agreed limitation periods for making warranty claims. The case is a real example of the importance of risk allocation in an M&A transaction for liability arising from latent information security vulnerabilities existing prior to completion of the transaction.
Class actions. The company also faces a risk of class actions. The Australian health insurer, Medibank Private Limited, suffered a large-scale data breach in October 2022. As a result, Medibank is facing a consumer class action (on behalf of individuals who suffered harm as a result of the incident) and a securities class action (on behalf of investors who claim that Medibank breached its continuous disclosure obligations as a listed company by failing to inform the market that its security measures were inadequate, and that class members purchased shares when they would not have if they had been informed about the true state of Medibank’s information security measures). Similarly, the Australian telecommunications company, Optus, suffered a large-scale data breach in September 2022 and is facing a consumer class action. There is no securities class action in Australia against Optus because the company is a subsidiary of Singapore Telecommunications Limited, which is listed in Singapore rather than Australia. No class action has been announced against Australian Clinical Labs at the time of writing. Potential funders are likely evaluating the economic viability of such a case, which would be much smaller in scale than in the actions against Medibank and Optus due to the smaller class size.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code