Key points

• The Office of the Australian Information Commissioner (OAIC) has commenced court proceedings against Medibank arising from its October 2022 data breach. The OAIC alleges that Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988 (Cth). The maximum civil penalty order theoretically available under the Privacy Act in this case is a staggering AU$21.5 trillion.
• Comments from the Privacy Commissioner also highlight that organisations have “an ethical as well as legal duty to protect the personal information they are entrusted with”. The specific reference to an ethical duty may flag a significant shift in the OAIC’s approach to enforcement.
• With the impending far-reaching Privacy Act reforms, organisations doing business in Australia should focus on being in the best position possible to respond quickly to those reforms and remain privacy compliant.

The Medibank data breach and OAIC investigation

On 25 October 2022 Medibank notified the OAIC of a data breach involving Medibank and its subsidiary ahm that was ultimately determined to have affected 9.7 million individuals, who were current or former customers. Personal information was subsequently released by the threat actor or actors on the dark web.

Under Australian Privacy Principle (APP) 11.1, Medibank is required to take such steps as are reasonable in the circumstances to protect the personal information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.

The OAIC received a number of individual complaints and a representative complaint under the Privacy Act following the data breach. It commenced an investigation into the data breach, considering Medibank’s practices regarding the management and securing of personal information and whether such steps were reasonable in the circumstances to protect the personal information from unauthorised access.

Federal Court proceedings commenced

The Australian Information Commissioner may apply to the Federal Court for a civil penalty order where an organisation is alleged to have engaged in serious or repeated interferences with privacy in contravention of section 13G of the Privacy Act. 

Following the OAIC’s investigation, it commenced proceedings in the Federal Court. Medibank is defending the proceedings. The OAIC alleges that in respect of the data breach:

• Medibank failed to take such steps as are reasonable in the circumstances to protect the compromised personal information it held given its size, resources and the nature and volume of the personal information;
• the release of that personal information on the dark web exposed a large number of Australians to the likelihood of serious harm, including potential emotional distress and the material risk of identity theft, extortion and financial crime; and
• this resulted in a serious interference with the privacy of individuals in contravention of section 13G.

For breaches at the time of the Medibank data breach, the Federal Court can impose a civil penalty of up to AU$2.22 million for each contravention of section 13G – that is, theoretically at least, for each of the 9.7 million individuals affected. It is a matter for the Court to determine whether a civil penalty order is to be made and, if so, the amount.

The maximum penalty with 9.7 million people involved in the breach could therefore amount to $21.5 trillion. Of course, that remains at the discretion of the Federal Court. It is highly unlikely that any award of a civil penalty would even be in the vicinity of that amount, but it does signal the sheer gravity of the case.

It is worth noting that under the December 2022 amendments to the Privacy Act, which apply to breaches from that date onwards, the maximum civil penalty order can now be up to the greater of:

• AU$50 million;
• three times the value of the benefit obtained directly or indirectly and that is reasonably attributable to the conduct; and
• if the value of that benefit cannot be determined – which would be the case for a data breach – 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The OAIC has indicated that, in the financial year ending June 2022, Medibank generated a revenue of AU$7.1 billion. If Medibank had suffered the data breach after December 2022, the maximum penalty would be several orders of magnitude higher.

Although such action by the OAIC remains very rare given the relatively constrained resources available to it, it is a salient reminder with the impending Privacy Act reforms that privacy compliance – especially in the context of cyber readiness and operational resilience – remains a critical risk to be actively addressed by boards on an ongoing basis. 

A new ethical duty to protect personal information?

The Privacy Commissioner commented on the OAIC’s commencement of proceedings:

“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. That is particularly the case when it comes to sensitive data. This case should serve as a wakeup call to Australian organisations to invest in their digital defences to meet the challenges of an evolving cyber landscape. Organisations have an ethical as well as legal duty to protect the personal information they are entrusted with and a responsibility to keep it safe.”

The Commissioner’s express reference to an organisation’s “ethical duty” – which goes beyond its “legal duty” – to protect personal information it holds signals a definite shift in the regulator’s approach. There is nothing in the Privacy Act or the OAIC’s APP Guidelines, which explain the OAIC’s interpretation of the APPs, which imposes any such ethical duty.

The Australian Government has recently indicated that its proposed Privacy Act reforms will be introduced to Parliament in August this year. They are likely to include the introduction of a “fair and reasonable” threshold test that must be met for collection of personal information. Is it possible the OAIC sees this as an opportunity to enforce an ethical obligation when it comes to protection of personal information? There is no doubt we are heading into uncharted waters for privacy regulation in Australia. We will have to look to the OAIC as the privacy regulator for guidance on how any fair and reasonable test will be interpreted, but it seems that ethics will need to be front of mind.

Next steps

The OAIC’s commencement of court proceedings against Medibank, and the Privacy Commissioner’s express reference to an ethical duty to protect personal information, reflect an increasingly aggressive privacy regulatory enforcement landscape in Australia. With the impending significant Privacy Act reforms, organisations doing business in Australia should focus on being in the best position possible to respond quickly to those reforms and remain privacy compliant.

We recommend that organisations take the following steps:

1. Data audit: conduct an audit of the organisation’s data governance framework, data use cases, consent processes and privacy documentation;
2. AI audit and uplift: identify automated decision-making (and ‘AI-powered’) processes and uplift ethical AI governance frameworks;
3. Systems audit and uplift: consider necessary uplifts to systems and processes to support the operational impact of the proposed privacy reforms;
4. Data governance uplift: review and uplift data retention and destruction frameworks, cyber incident response plans and privacy documentation; and
5. Privacy impact assessments: develop and implement formal privacy impact assessments for use cases that are assessed as high-risk from a privacy perspective.

The OAIC is now more than ever ready, willing and able to wield its far-reaching regulatory powers.