Historic Ruling Signals a New Era of Privacy Enforcement in Australia

How Cybersecurity Expertise Contributed to Landmark AUD5.8 Million Privacy Breach Ruling

  • December 12, 2025

Following ACL’s public announcement of the data breach, the Office of the Australian Information Commissioner (‘OAIC’) commenced an investigation to determine whether ACL had taken reasonable steps to protect the personal information entrusted to it. FTI Consulting was engaged as a cybersecurity expert to support the OAIC and its counsel, DLA Piper, in navigating the cybersecurity aspects of the investigation in relation to building a case against ACL. Our evidence-based cybersecurity report proved crucial in helping establish the facts behind this historic ruling.1 This was the first civil penalty imposed in the history of the Australian Privacy Act, and the ruling sent a clear message about the consequences of failing to meet regulatory and privacy obligations in Australia.

The Role of a Cybersecurity Expert — Complex Investigation and Analysis

The ACL investigation centred on the following critical areas :

Cybersecurity Governance: The effectiveness of ACL’s cybersecurity governance framework, including the resourcing and funding of the cybersecurity function; the training, qualifications and experience of personnel with security responsibilities; the mechanisms used to assess and manage cybersecurity risks and maturity; and the level of oversight exercised by senior executives and the board of directors.

Cybersecurity Due Diligence: The robustness and sufficiency of pre-deal due diligence undertaken by ACL during the acquisition of Medlab Pathology Pty Ltd. (‘Medlab’), with particular emphasis on the scope and quality of cybersecurity due diligence.

Cybersecurity Controls: The adequacy of ACL’s implementation of key cybersecurity controls, including, but not limited to, multi-factor authentication, privilege management, system updates and patching, endpoint protection measures, security awareness training and security logging controls.

Incident Response: The extent to which ACL had taken reasonable steps to prepare for a cybersecurity incident, as well as the quality and effectiveness of the incident response activities carried out by ACL and its third-party cybersecurity managed services provider.

Key Takeaways

Technical Evidence Translated Into Legal Context Is Essential for Enforcement
FTI Consulting assisted the OAIC and counsel throughout the investigation by analysing extensive documentation, ranging from reports to the company’s board of directors and witness testimony to system configuration extracts and log files. After the OAIC determined that ACL had failed to take reasonable steps to protect personal information, FTI Consulting assisted with the litigation process by conducting a technical review and analysis of key documents, such as the Concise Statement and Statement of Agreed Facts . We also provided advice on how to brief independent experts. FTI Consulting’s role in translating complex technical findings into actionable evidence proved crucial to the case’s outcome. This demonstrates that effective cybersecurity enforcement requires bridging technical expertise with legal frameworks. Organisations should ensure their security documentation and practices can withstand both technical scrutiny and legal interpretation.

Cybersecurity Due Diligence During Acquisitions Is Non-Negotiable
In December 2021, ACL acquired Medlab. Shortly thereafter, in February 2022, the Quantum ransomware group compromised Medlab’s information technology network in a sophisticated ‘double extortion’ attack, in which ransomware was deployed to computers across the Medlab network and sensitive data was also exfiltrated from the Medlab network. This data, which included the personal information of more than 223,000 individuals, was subsequently posted on the Quantum group’s dark web blog in June 2022. ACL publicly announced the breach to the public through an ASX announcement on 27 October 2022.2 This timeline highlights the critical importance of thorough cybersecurity assessments during mergers and acquisitions. Transactions transfer more than just assets; they also include inheriting existing cybersecurity vulnerabilities and risk profiles. Organisations must evaluate not just financial assets but also the cybersecurity posture of the target company before integration, to identify any hidden risks – such as vulnerabilities, past breaches, weak security controls or non-compliance with regulations – that could lead to significant financial, legal and operational consequences after the deal closes. Organisations must also recognise that breach notification timing and transparency are critical factors in regulatory assessments and potential penalties. Prompt, comprehensive disclosure is more than just a compliance requirement; it can significantly impact regulatory outcomes.

Organisations Must Implement Cybersecurity Controls Tailored Specifically to Their Industry and Risk Profile
Litigation involving cybersecurity incidents and data breaches can revolve around specific and highly technical concepts. When initiating proceedings against an organisation impacted by a major data breach, regulators such as the OAIC, together with external counsel, must determine which specific security measures the organisation failed to implement and demonstrate in court that any security measures not so implemented were reasonable to expect of the organisation under the circumstances. To assess if reasonable steps were taken by an organisation, the organisation’s cybersecurity measures must be evaluated against what is expected for a business of its size, sector and risk profile. Determining these standards requires deep expertise in which cybersecurity practices and controls should be implemented in varying Australian organisations, as well as deep expertise in cybersecurity frameworks and the technical specifics of the cybersecurity controls themselves.

The Australian Federal Court’s ruling in the ACL case confirms a new standard: organisations must implement cybersecurity controls tailored specifically to their industry and risk profile. Generic security measures no longer satisfy regulatory requirements. This precedent fundamentally changes how Australian businesses must approach cybersecurity compliance.

Final Thought: Cybersecurity Failures Carry Real Consequences

This landmark case signals a new era of privacy enforcement in Australia, establishing that financial penalties await organisations that fail to take reasonable steps to protect personal information. The AUD5.8 million penalty sends a clear message: not safeguarding personal information through robust cybersecurity practices can have substantial consequences. Organisations must strengthen their cyber resilience or face the growing likelihood of penalties and potential litigation.

Footnotes:

1: “Australian Clinical Labs ordered to pay penalties in relation to Medlab Pathology data breach in first for Privacy Act,” Office of the Australian Commissioner (October 9, 2025).

2: “Cyber Security Incident and notifiable data breach – Medlab Pathology,” Australian Clinical Labs Limited (October 27, 2022).

Related Insights

Related Information

Published

December 12, 2025

temp Key Contacts

Wouter Veugelen

Senior Managing Director, Head of Australia Cybersecurity

Ed Hopkins

Senior Director

Most Popular Insights

  1. Navigating Tariffs: 10 Strategies to Protect the Bottom Line
  2. The Hidden Risk for Data Centers That No One is Talking About
  3. It’s La La Land Again in Financial Markets
  4. Geopolitical Risk Management: No Longer Just a “Nice to Have”, But a Corporate Imperative
  5. Corporate Sustainability Report

Sign up to get access to FTI Consulting Insights

Subscribe