Business Toolbox

A recent Federal Court ruling is a stark reminder that a cyber attack can hit any business – large or small. But simple precautions and expert advice can dramatically reduce your risk, protecting your data, your reputation and your bottom line. 

Australian Clinical Labs (ACL) was recently fined $5.8 million after a major data breach, marking the first civil penalty under the Privacy Act. The Court found ACL failed to take reasonable steps to secure highly sensitive data stolen during a February 2022 ransomware attack on its recently acquired Medlab Pathology systems. 

Since December 2022, penalties for privacy breaches have risen sharply – up to $50m per breach. The cost of getting this wrong has never been higher. 

What happened?

In late 2021, ACL acquired Medlab Pathology, including its outdated IT infrastructure. Two months later, a ransomware group infiltrated the system, encrypting files and stealing about 86GB of data. 

ACL initially relied on incorrect advice from an external cybersecurity provider and did not notify the Office of Australian Information Commissioner (OAIC) or affected individuals until months after the breach. 

What the Court found

ACL had: 

• Inadequate data protection: Weak authentication, outdated software, limited monitoring and no encryption. 
• Poor breach assessment: Over-reliance on a narrow investigation by a third-party consultant. 
• Delayed notification: Waiting nearly a month after confirming the breach to notify authorities and customers – when it should have taken 2–3 days. 

Key lessons for businesses

Business Law WA Commercial Law Legal Director Cass Wright says cyber threats continue to escalate, with ransomware being a persistent threat. 

“In this instance, ACL was also penalised in respect of delaying assessment of the suspected data breach and also notification to the OAIC, it’s important that businesses know their obligations and get legal advice if they suffer a data breach” she says. 

“Every business needs a cybersecurity protocol and clear response measures in place.” 

What business owners should do now

• Strengthen your security posture – especially if you hold sensitive or high-volume data. 
• Conduct cyber due diligence during mergers and acquisitions. 
• Maintain and regularly update your incident response plan and ensure staff are trained. 
• Seek independent advice – don’t rely solely on one external consultant. 
• Where required, report breaches quickly to regulators and affected individuals. 
• Understand the financial risk – penalties can now reach tens of millions and cripple a business. 

How to respond to a threat  

If your business experiences a cyberattack or scam:  

• Contain, assess and identify the breach. 
• Activate data incident response plan.
• Obtain legal advice.
• Comply with obligations under the Privacy Act 1988 and Notifiable Data Breach scheme.  
• Report it immediately – to your bank, the Australian Cyber Security Centre (ACSC) or IDCARE, and the police if necessary.   
• If you pay a ransom, be aware of the obligation contained in the Cyber Security Act 2020 (Cth).  
• Use ACSC’s report.cyber.gov.au portal or call the 1300 CYBER 1 (1300 292 371) helpline for real-time advice and support.  

If you need help with a cyber security plan, due diligence during an acquisition or to understand your obligations under the privacy laws or how the Privacy Act may impact your business, contact the Commercial Law team at [email protected] or call 08 9365 7560. 

This article is authorised by Business Law WA, an incorporated legal practice and wholly owned subsidiary of CCIWA. The contents of this article is general in nature and is not legal or professional advice and should not be relied upon as such.