ARTICLE
28 October 2025

Privacy Act Wakeup Call: AIC v. ACL On "Reasonable Security," Notification Duties, And Sanctions

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
This decision raises the compliance bar and provides concrete guidance on how APP 11.1 and the NDB scheme apply in real‑world incidents.
Australia Privacy
Anna Gamvros,Ross Phillipson,Cara Burley
+2 Authors
 Your Author LinkedIn Connections
Anna Gamvros’s articles from A&O Shearman are most popular:
  • with Finance and Tax Executives and Inhouse Counsel
  • with readers working within the Media & Information and Securities & Investment industries

Businesses must tailor strategies to meet evolving consumer preferences.

Why this matters

The Federal Court's decision in Australian Information Commissioner v. Australian Clinical Labs Limited [2025] FCA 1224 is the first civil penalty imposed under the Privacy Act 1988 (Cth) and sets a clear, practical benchmark for what Australian Privacy Principle (APP) 11 requires in today's threat environment.

The court imposed a penalty of AUD5.8 million and emphasized that "reasonable steps" are context‑specific, risk‑based and must evolve with known threats. It also reinforced that the Notifiable Data Breach (NDB) scheme's assessment and notification obligations are time‑critical and substantive. Delay, partial notification or an unduly narrow view of "serious harm" will not suffice.

What happened

In 2022, Australian Clinical Labs Limited (ACL) disclosed a cyber incident affecting its Medlab Pathology business unit involvingunauthorized access to, and exfiltration of, personal and health information. The Office of the Australian Information Commissioner (OAIC) brought civil penalty proceedings alleging contraventions of the Privacy Act, including failures to take reasonable steps under APP 11.1 to protect personal information and failures to comply with the NDB scheme's assessment and notification requirements. The Federal Court made declarations and imposed penalties and ancillary orders.

APP 11.1: what "reasonable steps" are required

The court held that a large health services provider holding extensive volumes of sensitive information was required to operate a contemporary, risk‑based security program aligned to its threat profile. That meantoperationalizing widely recognized controls commensurate with the sensitivity and volume of the data and the organization's complexity.

The court identified, among other things, identity and access management, risk‑based patching and vulnerability management, network segmentation and hardening of legacy systems, logging and monitoring to detect and triage anomalies, multi‑factor authentication for privileged access, encryption at rest and in transit where practicable, and robust incident response and data retention practices as part of the reasonable steps expected. The court underscored that data minimization and defensible retention are integral to APP 11.1 because information not held cannot be breached.

NDB scheme: timeliness and completeness

The court clarified that a "reasonable and expeditious" assessment of a suspected eligible data breach is measured in days and short weeks, not months, calibrated to the risk and the available indicators of compromise. Where credible indicators point to exfiltration or exposure of highly sensitive datasets, the obligation to notify the OAIC and affected individuals arises once an eligible data breach is reasonably believed to have occurred.

Notifications must be accurate, sufficiently complete, and updated as further facts emerge. Partial, qualified or delayed notifications were found to be inadequate.

Findings, penalties and relief

The court declared that ACL interfered with individuals' privacy and contravened the NDB scheme. In fixing the penalty, it applied established civil penalty principles, weighing the objective seriousness of the conduct, the sensitivity and volume of information, the duration of contraventions, senior management's knowledge and responsibility, post‑incident remediation, cooperation with the regulator and the need for specific and general deterrence. The court stressed that penalties cannot be treated as a "cost of doing business," particularly where sensitive health information is at stake and sector‑wide alerts previously highlighted known risks.

Ancillary orders were made to uplift ACL's privacy and security posture and breach readiness, including independent audits, mandated uplift plans aligned to specified frameworks and reporting to the regulator. The court recognized post‑incident investments but held that remediation after the fact does not cure past contraventions or obviate the need for substantial penalties.

Penalty methodology and deterrence

Applying the totality principle, the court considered the course of conduct, number of contraventions, statutory maximums, proportionality to gravity and harm risked, and the deterrence objective. It examined whether failings were systemic or isolated, whether they persisted despite public advisories, and the extent of management attention before and after the incident.

Aggravating factors included the sensitivity of health information, the foreseeability of the threat and inadequate treatment of legacy environment risks. Mitigating factors included cooperation, early admissions where made, remediation and victim support initiatives. The resulting penalty was AUD5.8m.

Practical implications for organizations

Organizations holding personal information, particularly sensitive health data, should uplift their baseline security and data governance to reflect current threats and the court's expectations. Programs should be risk‑based and evolving, with tested controls covering identity and access, patching, segmentation, monitoring, privileged access, encryption and incident readiness. Data minimization and defensible retention must be embedded.

Suspected breaches should be assessed promptly, preserving forensic artefacts and escalating quickly to a reasonable belief where indicators warrant it. Notifications to the OAIC and affected individuals should be timely, accurate and complete, with iterative updates as facts crystallize. Clear governance and board‑level accountability, with threat‑informed metrics and resourced uplift plans, are essential. Contracting and oversight of third‑party providers should set clear scopes, evidence‑based reporting and service levels for triage, discovery and response.

M&A: Pre‑ and post‑completion obligations to avoid inherited cyber risk

The case emphasizes that known weaknesses in legacy or inherited environments require immediate remediation plans with defined timelines. Buyers should go beyond document review to test operational reality, verifying that security controls and incident management processes function in practice.

Where deficiencies are identified, they should be scoped, sequenced and costed into the deal, with pre‑completion undertakings or day‑one programs to close high‑risk gaps. Warranties and indemnities are not a substitute for timely remediation and are unlikely to offset the operational, regulatory and reputational consequences of unmanaged cyber risks that crystallize post‑close.

What next

This decision raises the compliance bar and provides concrete guidance on how APP 11.1 and the NDB scheme apply in real‑world incidents. The message is clear: invest in proportionate controls, minimize the personal information you hold, be prepared to assess and notify eligible data breaches without delay and ensure governance supports these outcomes. For acquirers, build deeper, earlier cyber diligence into transactions and plan for day‑one remediation and segmentation of high‑risk environments. The cost of inaction will increasingly be measured not only in incident response and remediation, but also in the courtroom.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Anna Gamvros
Anna Gamvros
Photo of Ross Phillipson
Ross Phillipson
Photo of Denise Kara
Denise Kara
Photo of Cara Burley
Cara Burley
Person photo placeholder
Elise Northcote
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More