What penalties did the Federal Court impose in the Medlab case?

The Court ordered Australian Clinical Labs to pay a total of $5.8 million. This included $4.2 million for failing to protect information, $800,000 for slow assessment, and $800,000 for delayed notification.

Can directors be held liable for cybersecurity failures?

Yes. While this specific penalty was against the company, the judgment highlighted senior management's involvement. A failure to manage cyber risk can constitute a breach of director duties under the Corporations Act.

Does the Privacy Act apply to small businesses?

Generally, the Privacy Act applies to businesses with an annual turnover greater than $3 million. However, some small businesses, such as health service providers, must comply regardless of turnover.

Legal Advice for Data Breach: The Medlab Case and Director Liability

The Federal Court of Australia recently ordered Australian Clinical Labs (ACL) to pay $5.8 million in civil penalties. This judgment follows a February 2022 cyberattack on its Medlab Pathology business, which exposed the personal information of over 223,000 individuals. This decision marks the first time the Court has issued civil penalties under the Privacy Act 1988 (Cth).

For business owners and executives, this case shifts the baseline for risk management. The penalties were not just for the hack itself. They punished the company for how it prepared for, assessed, and reported the incident. If you require legal advice for data breach prevention or response, this ruling provides the clearest guidance yet on what the law expects from Australian companies.

The Breakdown of the Penalty

The $5.8 million figure grabs headlines, but the breakdown of the fine tells the real story for directors. The Court did not issue a lump sum. It applied specific penalties for specific failures in governance and process.

$4.2 million for failing to take reasonable steps to protect personal information. This constituted a breach of Australian Privacy Principle 11.1.
$800,000 for failing to carry out a reasonable and expeditious assessment of the breach.
$800,000 for failing to notify the Australian Information Commissioner as soon as practicable.

The Court punished ACL heavily for its sluggish response. The company delayed assessing the breach and delayed telling the regulator. These two administrative failures cost the business $1.6 million alone. This demonstrates that your incident response plan is a legal document, not just an operational manual. Speed reduces liability.

Director Duties for Cybersecurity Australia

Cybersecurity often gets delegated to the IT department. The Medlab judgment makes it clear that this approach is dangerous. Justice Halley found that ACL’s senior management was directly involved in the decision-making regarding the integration of Medlab’s IT systems. He noted that the contraventions resulted from a failure to act with “sufficient care and diligence.”

This language mirrors the statutory duties found in the Corporations Act 2001 (Cth). Director duties for cybersecurity Australia now effectively include the obligation to oversee data protection frameworks. You cannot plead ignorance of technical risks if you made the commercial decision to acquire a company or integrate a system without proper due diligence.

If a board approves a merger or acquisition, that board owns the cyber risks inherited from the target company. In the Medlab case, the vulnerabilities existed within the acquired system. The parent company paid the price for failing to secure the environment it purchased.

The “Reasonable Steps” Standard

The largest portion of the penalty ($4.2 million) addressed the failure to take “reasonable steps” to secure data. Many SME directors struggle to define what “reasonable” looks like. It does not mean your system must be impenetrable. It means your defence must match the sensitivity of the data you hold.

Medical and health data is highly sensitive. The Court expects a higher standard of care for this information than for a standard marketing email list. However, even basic commercial data requires protection. A guide for business from the FTC suggests that reasonable security includes regular updates, restricting access, and training staff. Australian courts are adopting similar expectations.

Failing to patch known vulnerabilities or leaving administrative passwords as “admin123” will likely fail the reasonable steps test. Directors must ask their technical teams specific questions about these protocols. Accepting a generic “we are secure” assurance is no longer sufficient diligence.

The Cost of Delay

The $1.6 million in penalties for delay highlights a specific trap for SMEs. When a breach happens, the instinct is often to wait for certainty before reporting. Executives worry about reputation damage or false alarms. The Medlab ruling punishes this hesitation.

The law requires an “expeditious” assessment. You do not have weeks to debate whether a breach occurred. Once you suspect an eligible data breach, the clock starts. Scientific publications on data security emphasize that immediate action preserves evidence and limits harm. The Federal Court has now attached a specific price tag to hesitation.

Implications for SME Governance

Small and medium enterprises often assume they fly under the radar of the Privacy Commissioner. This is a risky assumption. If your annual turnover exceeds $3 million, you must comply with the Privacy Act. Even if you are smaller, trading in personal information (like a health service or a gym) often brings you under the Act.

Furthermore, the reputational damage often exceeds the fine. The Court noted that ACL’s conduct had the potential to impact public trust. For an SME, a loss of trust can be fatal. We have seen similar compliance pressures in other sectors. For instance, the recent Australian social media ban places heavy burdens on tech companies to verify user ages. The regulatory environment is tightening across the board.

Practical Steps for Directors

You need to treat data like a physical asset. If you left the warehouse doors open and stock was stolen, the board would demand answers. Data requires the same oversight.

1. Review Your Insurance

Check your Directors and Officers (D&O) insurance and your Cyber Liability policy. Do they cover regulatory fines? Do they cover the legal costs of a Privacy Commissioner investigation? Many policies have exclusions for “gross negligence” or known vulnerabilities.

2. Test Your Response Plan

A paper plan is useless during a crisis. Run a simulation. If your systems went dark today, who calls the lawyers? Who calls the forensic IT team? Who decides when to notify the Commissioner? If the answer is “we would figure it out then,” you are exposed to penalties for delay.

3. Governance Structure

Ensure cybersecurity appears on your board agenda quarterly, not annually. Ask for reports on patch status, training completion rates, and attempted intrusions. As a cybersecurity lawyer Melbourne based, I often see boards that only discuss cyber risk after an incident. That is too late.

The Medlab case proves that privacy compliance is a board-level legal duty. The $5.8 million penalty serves as a warning that the cost of poor governance is rising.

If you are concerned about your company’s exposure to data risks or need to review your director obligations, contact SLK Lawyers for a confidential discussion.

About Blaine HattieBlaine Hattie is a Principal in Commercial Transactions at Sutton Laurence King Lawyers. He advises businesses on transactions and finance with a special interest in technology, cybersecurity, digital media, defamation, and artificial intelligence.

Book an appointment with one of our Lawyers to discuss your specific needs.

Book a Consultation

A Note on the Information We Share

Reading this information does not create a lawyer-client relationship between you and SLK Lawyers. This only occurs with a formal written agreement. Content is current at publication and applies to Victorian law unless stated otherwise. It is general information only and not a substitute for specific legal advice. Strict time limits apply to legal claims. You should seek immediate legal advice on your specific situation to ensure your rights are protected.