Corporate governance implications of Medibank enforcement proceedings

Articles Written by John Keeves (Partner)

In a landmark move, the Australian Information Commissioner has filed civil penalty proceedings against Medibank in connection with a data breach that came to light in October 2022.

The proceedings relate to unauthorised disclosure of personal information concerning 9.7 million people. The Commission alleges that Medibank seriously interfered with the privacy of those people by failing to take reasonable steps to protect their personal information from misuse and unauthorised access and disclosure in breach of the Privacy Act 1988 (Cth).

The Commission is alleging 9.7 million contraventions of section 13G of the Privacy Act, each of which carries a maximum civil penalty of A$2.22 million.

The proceedings are very significant in that they will test what does or does not amount to “reasonable steps” to protect personal information from unauthorised access and disclosure in terms of Australian Privacy Principle 11.

Moreover, the case will test what amounts to “serious” interference with privacy under section 13G, which triggers the civil penalty liability (as does a “repeated” interference with privacy). The Commissioner is alleging that the conduct is serious and repeated, in the latter case, on the basis that the contravention was repeated for each day during the relevant period. 

If the Commissioner’s approach is accepted by the Federal Court, most data breaches of any scale will involve serious or repeated interferences with privacy (or both), and trigger the potential liability for civil penalties.

These considerations have become even more significant since December 2022, when the penalties under section 13G were increased to the greatest of:

  • A$50 million;
  • three times the value of any benefit derived from the breach (if the benefit can be determined by the Court);
  • 30 per cent of the adjusted turnover of the contravening entity group for the greater of 12 months or the period of the breach.

Although the principles of civil penalty assessment mean that it is not a simple arithmetic exercise of multiplying the number of (alleged) breaches (up to 9.7 million) by the maximum penalty (A$50 million), the headline number under the new regime would be a staggering A$485 trillion. Under the old regime, the number is still a huge A$21.5 trillion. In comparison, Australia’s 2023 GDP was of the order of A$2.6 trillion.

By way of comparison, in the Commonwealth Bank anti-money laundering civil penalty proceedings taken by AUSTRAC, 53,506 contraventions were covered by a single A$125 million penalty, with the totality of the conduct bringing a record A$700 million civil penalty.

From a corporate governance perspective, the potential for substantial civil penalty liability, not to mention reputational damage, caused by enforcement proceedings, means directors and senior managers who may be “officers” under the Corporations Act 2001 (Cth) can be personally liable in the event of a data breach. This is the so-called “stepping stones” liability under section 180 of the Corporations Act, arising where the company is exposed to a foreseeable risk of harm through a failure of care and diligence.

The Australian Securities and Investments Commission (ASIC) can take enforcement proceedings for a breach of the care and diligence duty, and can seek civil penalties and disqualification orders against officers personally.

This is a kind of indirect liability for directors and other officers for a data breach, which is in addition to possible liability as an accessory under the Privacy Act and the Regulatory Powers (Standard Provisions) Act 2014 (Cth). Accessory liability requires knowledge of the facts that make up the contravention, along with some kind of participation in the contravention. Liability under the “stepping stones” doctrine only requires an omission – a failure to exercise a sufficient degree of care and diligence in the circumstances.

For a discussion of the responsibility of directors for cybersecurity, see Professor Pamela Hanrahan’s Insight, Cybersecurity governance: are directors doing enough?

--

Note: this Insight was updated following publication by the Commissioner of the Concise Statement relating to the proceedings on the OAIC website on 17 June 2024.  

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).

For more information, please contact

Related insights Read more insight

When is a final decision not final? Key learnings from the ASIC v iSignthis saga

The recent decision of the Federal Court in relation to proceedings brought by ASIC against iSignthis Limited and its former Managing Director and CEO, Mr Nickolas Karantzis highlights that a...

More
Digital Bytes – cyber, privacy & data update

Welcome to Digital Bytes, our latest quarterly update on current developments in cyber, privacy and data governance.

More