Case: $5.8m in penalties, new guidance: Australian Information Commissioner v Australian Clinical Labs Limited (No 2) – implications for insolvency practitioners 

08/12/2025

Guest Contributors

Deidre Missingham, Consulting Principal, Keypoint Law
Penelope Pengilley RITP, Consulting Principal, Keypoint Law

A variation of this article was originally published by  Keypoint Law on 22 October, 2025 and has been re-published with permission from the authors.

 

Introduction

In September 2024, the ARITA Journal published our article about disclosure of personal information in an insolvency context. There we noted that since 2022, maximum penalties under the Privacy Act 1988 (Privacy Act) for breaching the Australian Privacy Principles (APPs) where there has been a serious interferenceⁱ with privacy have increased to:

• the greater of $50 million, or
• 3 times the value of any benefit, or
• 30% of ‘adjusted turnover’ (i.e. effectively revenue) during the greater of the period of contravention and 12 months.

 

This regime applies to most organisations with an annual turnover of $3 million or more, which would include many insolvency firms and the entities to which their principals are appointed. 

Now we have guidance on how penalties under the Privacy Act in relation to a major data breach may be assessed by the Australian courts. On 8 October 2025, in the groundbreaking Federal Court judgment in the matter of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (the ACL case), Justice Halley imposed civil penalties totalling $5.8 million. Of this sum, $4.2 million was in respect of failing to protect personal information properly. This was the first civil penalty proceeding brought by the Australian Information Commissioner (Commissioner) in the history of the Privacy Act. 

The factual context of the ACL case (set out below) highlights potential risks for insolvency practitioners in relation to failure to protect personal information properly.

 

The ACL case: Factual background

The Australian Clinical Labs Limited (ACL) is one of the largest private hospital pathology businesses in Australia. On 19 December 2021, ACL acquired the assets of the smaller Medlab Pathology Pty Ltd, planning to integrate the two companies’ IT systems over the following six months. Around 25 February 2022, the criminal Quantum Group initiated a cyberattack on the Medlab systems (the Medlab cyberattack), exploiting vulnerabilities not identified by ACL. Approximately 86 gigabytes of data were exfiltrated. This data included personal and sensitive information of at least 223,000 individuals, and included passport numbers, health information and financial information. 

When initial indications of a cyberattack became apparent within the company, followed by alerts from an expert external body, ACL opted to be guided by its established IT services provider who ran only limited tests and then initially advised that there had not been a reportable data breach. The attackers made a ransom demand, and the exfiltrated data was subsequently published on the dark web. External legal assistance was not sought by ACL until June 2022 and the Commissioner was not notified of ACL’s reasonable belief that an eligible data breach had occurred until 10 July 2022. Further, though not the subject of these proceedings, ACL did not make an ASX announcement and apology until 27 October 2022. 

 

Risks for insolvency practitioners

Privacy breaches by insolvency practitioners – that is, acts or practices which breach an APP – can occur both in the administration of insolvent companies and the sale of assets process. In the ACL case, the relevant breach was of APP 11.1 – failure to take reasonable steps to protect personal information. 

When does the risk arise? As in the case of a company acquisition, practitioners become exposed to the risk in relation to APP 11 immediately upon taking control of data that includes personal information, either directly or indirectly by becoming the agent or controller of a company holding the data. The insolvency context, where there is little opportunity for due diligence and every likelihood that, being in financial distress, the subject company’s data protection regime is inadequate, presents heightened risks.

Nature of risk: An insolvency practitioner typically ‘holds’ personal information in a database but potentially stored on its behalf by a software as a service provider. The test is an objective one: were reasonable steps taken in the circumstances? The insolvency practitioner may be held liable if found to have failed to take such steps to protect the personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. Under the new APP 11.3, reasonable steps include both technical and organisational measures.

Mitigating actions: A typical first action upon an insolvency appointment is for books and records to be collected via an IT provider. We suggest that extending that process to include a data security audit, appropriate in scale to the circumstances of the entities involved. Even a basic review may assist practitioners to discharge their duties both in respect of any pre-appointment breaches that should be notified and any vulnerabilities in the company’s data security arrangements that may be identified. 

Beyond that audit or review, what constitutes reasonable steps in an insolvency context is very much circumstances driven. Considerations such as direct cost and potential delay as well as the risk reduction envisaged by taking further data protective measures will need to be taken into account. 

Additional risks when selling personal information: Where personal information held by a company is an asset that could be sold for the benefit of the creditors, then it is important that that asset be protected, like any other asset in an administration. It is important to note here that trading in personal information means the small business exemption from the Privacy Act does not apply (s 6D(4)).

Consent may be required to transfer personal information to a purchaser – that is, to enable the value in the asset to be realised. Reliance on consent is a somewhat contentious issue in privacy law. Under the Privacy Act, for consent to be valid it must be informed, voluntary, current and specific, and the individual must have capacity to give consent. The Commissioner and Courts are likely to be sympathetic to arguments that any consents obtained when the personal information was first collected may no longer be valid. This is because it could be argued that any consents were given in expectation that the individual’s data would remain protected, with the consent continuing only for as long as the protection remains on foot. Such an argument is another reason to begin or continue taking reasonable steps to protect personal information for the ultimate benefit of the creditors.

Damages claims and class actions: Another consideration in the insolvency context is the prospect of damages claims (under the new statutory tort for serious invasions of privacy) or even a class action being brought by affected individuals in the event of a data breach, particularly a cyberattack. If the breach was pre-appointment, then they too would be creditors of the company and in that event, it would be in the interests of all the creditors for their loss to be minimised as much as possible. If the breach was post-appointment, would any damages claim be a cost of the administration? Would a practitioner’s insurance respond? The prospect of having to face these questions may be another reason to take steps to avoid the risk arising in the first place.

Disclaiming onerous property: These observations also invite the question: can a liquidator disclaim a data base as an onerous asset under s 568 of the Corporations Act? This question is beyond the scope of the present article, however our preliminary view is that if the collection and retention of personal information is contractual in nature as between individual and company then in essence, a liquidator would be seeking to disclaim a series of individual contracts, and leave of the Court would be required under subsection 1A. Such an application is likely to face significant logistical and process hurdles and as a first step, the Commissioner might be invited into the process as a proper contradictor. 

 

Liability and appointment

Practitioners won’t be liable for pre-appointment breaches – and s 553B of the Corporations Act 2001 (Corporations Act) says that penalties and fines are not admissible to proof against an insolvent company. But if data breaches involving personal information have either been undiscovered or discovered but unreported at the time of appointment, when the breaches subsequently come to light, obligations to assess the seriousness of the breaches, notify as required and take mitigation measures likely fall to the practitioner as current holder of the personal information. Section 553B is no protection from post-appointment breaches.

The findings in the ACL case suggest that where a business faces a material cyberattack risk that could jeopardise personal information, as for example where it holds large quantities of personal and sensitive information, practitioners should accept new appointments only if they believe they have access to the suite of skills necessary immediately to review and manage the level of cyber-risk applicable to that business, including the knowledge and internal capability to oversee any third-party providers in this area.

 

Summary of ACL case declarations and orders

The Court’s declarations addressed three main failings by ACL and were in the form sought by the Commissioner and agreed by ACL.

1. Breach of APP 11.1 – failure to take reasonable steps to protect personal information. 
   What constituted reasonable steps under APP 11.1(b)? The Court took account of familiar considerations such as size and nature of the entity and volume and sensitivity of the information held. But it also stated that ‘breadth of the necessary inquiry into what might constitute “such steps as are reasonable in the circumstances” is informed by judicial consideration of other legislation that import a “reasonable steps” obligation, in particular, s 961L, s 963F and s 994E(5) of the Corporations Act.’
   
   
2. Contravention of s 26WH(2) – failure to carry out a reasonable and expeditious assessment of suspected eligible data breachⁱⁱ 
   
   
3. Contravention of s 26 WK(2) – failure to notify of data breach as soon as practicableⁱⁱⁱ  

 

Summary of penalties and costs applied

The Court ordered ACL to pay the Commonwealth of Australia, within 30 days, a civil penalty of $5,800,000, comprised of: 

(a) $4,200,000 in respect of failing to protect personal information properly; 
(b) $800,000 in respect of delaying assessment of the suspected data breach; and 
(c) $800,000 in respect of delaying its notification to the OAIC). 

ACL was also required to pay the Commissioner $400,000 toward her costs in the proceeding.

During the relevant period, s 13G carried a maximum of 2,000 penalty units per contravention, multiplied by five for bodies corporate. Each affected individual constituted a separate contravention for the APP 11.1 breach. While the Court did not here impose the huge theoretical maximum penalty for 223,000 affected individuals, in different circumstances in large breach matters, the Court’s per person approach will be significant in respect of assessment of both the ‘serious’ breach threshold and quantum of potential penalties. 

 

OAIC intent

This proceeding also signals a new determination by the OAIC to achieve deterrence by pursuing civil penalties for data breaches and deficient responses^iv. As indicated above, effective from 13 December 2022, a higher penalty regime provides for maximum penalties of up to $50 million for serious breaches. The amendments also introduced additional tiers of penalties including a mid-tier penalty for companies of up to $3.3 million for breaches that fall below the threshold of ‘serious’.

 

Key takeaways

For insolvency practitioners, this decision highlights the need to:

• Develop comprehensive front- and back-end cyber risk policies that include: internal capabilities or partnerships with cybersecurity experts; red flag criteria for assessing cyber risk in new appointments; integrating cyber risk assessments during the books and records collection phase; safeguarding relevant insurance; and maintaining a detailed, up-to-date data breach response plan with assigned roles including for insurer notifications and key timelines.
• Understand the Commissioner’s expectations for prompt and reasonable investigations and notification of data breaches causing serious privacy interferences. While insolvency practitioners’ roles may influence what is deemed reasonable, they may still suffer consequences for delays in notification.

Finally, given the complex interplay between the intent and objectives of privacy law on the one hand and insolvency law on the other, there may be room for industry-level discussion regarding how these very different regimes can operate seamlessly together.

Acknowledgements: The writers would like to thank David Caldwell of Forensic IT whose experience in providing IT services in an insolvency context assisted our understanding of these issues. 

 

Notes

i. Formerly ‘serious and repeated’.

ii. For more background on investigation and reporting issues see Deidre’s previous article ‘How golden is silence? Data breaches involving personal information’ posted by Keypoint Law 9 November 2022: https://www.keypointlaw.com.au/keynotes/how-golden-is-silence-data-breaches-involving-personal-information/

iii. Contraventions 2 and 3 are discussed in more detail in the Deidre’s original article posted by Keypoint Law 22 October 2025: https://www.keypointlaw.com.au/keynotes/5-8m-in-penalties-new-guidance-australian-information-commissioner-v-australian-clinical-labs-limited-no-2/

iv. In bringing this proceeding and agreeing a high penalty, the OAIC has demonstrated its increased appetite to bite as well as bark, as compared with its ‘educative’ handling of earlier cyber breach incidents: see for example Re Uber Technologies Inc [2021] AICmr 34.

 

Disclaimer: Care is taken to ensure the accuracy of any information shared with ARITA by way of guidance; however, ARITA does not accept responsibility for the accuracy or completeness of any information shared, or its applicability to the specific circumstances of anyone reading the content. The information shared by ARITA is not intended to constitute legal, business or other professional advice, but is for informational purposes only. It is not intended as a substitute for advice from a qualified professional. No reference should be made to the information shared by ARITA as support for decisions made by anyone reading the content. ARITA encourages anyone reading the content to consult with its insolvency specialists in relation to any content relating to the law and practice of insolvency.