Australia just turned up the heat on privacy breaches - big time. In a landmark decision, the Federal Court slammed Australian Clinical Labs (ACL) with $5.8 million in penalties after serious failures to protect personal information during a cyberattack on its Medlab Pathology IT systems.
Here’s what went wrong - and why it matters for every business:
The Breakdown of Fines
- $4.2 million for not taking reasonable steps to protect personal info, breaching more than 223,000 individual protections under privacy law.
- $800,000 for dragging their feet - ACL didn't quickly assess if a serious data breach had even happened.
- $800,000 for failing to promptly notify the regulator about the breach, as required.
The judge didn’t mince words, calling ACL’s management failures “extensive and significant.” He found risky decisions at the top helped set the scene for the breach. The fallout? Real harm for individuals - think financial loss, emotional distress, and inconvenience - and a knock to public trust in companies that hold sensitive data.
Penalties Will Only Get Bigger
Here’s the kicker: These fines were set under the old regime. Since December 2022, maximum penalties per contravention have skyrocketed - they can now reach up to $50 million, three times the benefit gained or 30% of annual turnover, whichever is greater.
If you hold any personal data - especially health, financial, or sensitive info - this is your wake-up call. Just checking the box on cyber security isn’t enough anymore. Massive fines are here, and they’re only going up.
Your Cyber Insurance: Danger or Defence?
With bigger penalties on the table, having the right cyber insurance in place isn’t just a nice to have. Not all cyber policies automatically cover regulatory fines, legal costs, or the full suite of expenses that follow a breach. In fact, many older or off the shelf products leave gaping holes around fines - and those holes could cost millions (literally).
If your policy hasn’t been reviewed recently, it’s time to:
- Confirm what’s actually covered for fines, penalties, and legal defence.
- Make sure your cover matches the scale and nature of your business’s risk.
- Act now, while the cyber insurance market is still stable. When penalties rise, premiums and requirements usually follow.
Privacy Commissioner Carly Kind didn’t pull any punches either. She called this outcome “an important turning point in the enforcement of privacy law in Australia” and a clear reminder: fail to protect your customer’s privacy, and you (and your balance sheet) will feel the consequences.
Takeaway for Risk Managers and Business Owners
Gone are the days of privacy slap on the wrist. The cost of getting it wrong is now measured in millions, not thousands.
If you’re not 100% confident your cyber insurance will protect you from these kinds of penalties, the time to act is now. Don’t wait for headlines to become your reality - review your cyber policy or chat with one of our specialists today by submitting the form below.
