In a landmark move, the Australian Information Commissioner has filed civil penalty proceedings against Medibank in connection with a data breach that came to light in October 2022.
The proceedings relate to unauthorised disclosure of personal information concerning 9.7 million people. The Commission alleges that Medibank seriously interfered with the privacy of those people by failing to take reasonable steps to protect their personal information from misuse and unauthorised access and disclosure in breach of the Privacy Act 1988 (Cth).
The Commission is alleging 9.7 million contraventions of section 13G of the Privacy Act, each of which carries a maximum civil penalty of A$2.22 million.
The proceedings are very significant in that they will test what does or does not amount to “reasonable steps” to protect personal information from unauthorised access and disclosure in terms of Australian Privacy Principle 11.
Moreover, the case will test what amounts to “serious” interference with privacy under section 13G, which triggers the civil penalty liability (as does a “repeated” interference with privacy). The Commissioner is alleging that the conduct is serious and repeated, in the latter case, on the basis that the contravention was repeated for each day during the relevant period.
If the Commissioner’s approach is accepted by the Federal Court, most data breaches of any scale will involve serious or repeated interferences with privacy (or both), and trigger the potential liability for civil penalties.
These considerations have become even more significant since December 2022, when the penalties under section 13G were increased to the greatest of:
Although the principles of civil penalty assessment mean that it is not a simple arithmetic exercise of multiplying the number of (alleged) breaches (up to 9.7 million) by the maximum penalty (A$50 million), the headline number under the new regime would be a staggering A$485 trillion. Under the old regime, the number is still a huge A$21.5 trillion. In comparison, Australia’s 2023 GDP was of the order of A$2.6 trillion.
By way of comparison, in the Commonwealth Bank anti-money laundering civil penalty proceedings taken by AUSTRAC, 53,506 contraventions were covered by a single A$125 million penalty, with the totality of the conduct bringing a record A$700 million civil penalty.
From a corporate governance perspective, the potential for substantial civil penalty liability, not to mention reputational damage, caused by enforcement proceedings, means directors and senior managers who may be “officers” under the Corporations Act 2001 (Cth) can be personally liable in the event of a data breach. This is the so-called “stepping stones” liability under section 180 of the Corporations Act, arising where the company is exposed to a foreseeable risk of harm through a failure of care and diligence.
The Australian Securities and Investments Commission (ASIC) can take enforcement proceedings for a breach of the care and diligence duty, and can seek civil penalties and disqualification orders against officers personally.
This is a kind of indirect liability for directors and other officers for a data breach, which is in addition to possible liability as an accessory under the Privacy Act and the Regulatory Powers (Standard Provisions) Act 2014 (Cth). Accessory liability requires knowledge of the facts that make up the contravention, along with some kind of participation in the contravention. Liability under the “stepping stones” doctrine only requires an omission – a failure to exercise a sufficient degree of care and diligence in the circumstances.
For a discussion of the responsibility of directors for cybersecurity, see Professor Pamela Hanrahan’s Insight, ‘Cybersecurity governance: are directors doing enough?’
--
Note: this Insight was updated following publication by the Commissioner of the Concise Statement relating to the proceedings on the OAIC website on 17 June 2024.
Usually who serves on the board of a listed company is a matter for the company itself and others, including the courts, only rarely intervene. That’s why the Takeovers Panel’s order requiring...
The recent decision of the Federal Court in relation to proceedings brought by ASIC against iSignthis Limited and its former Managing Director and CEO, Mr Nickolas Karantzis highlights that a...
Welcome to Digital Bytes, our latest quarterly update on current developments in cyber, privacy and data governance.