Anyone impacted by the cyber attack on Medibank Private Limited between August and October 2022 will be familiar with the importance of privacy laws in Australia.
And for businesses, both small and large, it’s a good lesson in the importance of keeping your privacy and cyber security compliance standards high.
The Australian Information Commissioner has recently filed an application in the Federal Court against Medibank in relation to the October 2022 data breach, following an investigation by the Commissioner, after the personal and sensitive information of 9.7 million Australians was stolen and released on the dark web.
The Commissioner alleges that Medibank seriously interfered with the privacy of 9.7 million Australians, exposing them to the likelihood of serious harm, including potential emotional distress, and risk of identity theft, extortion and financial crime.
Privacy law in Australia
Privacy in Australia is regulated under the Commonwealth Privacy Act 1988, and separate privacy and information legislation in each state and territory.
This legislation governs standards, rights and obligations related to how personal information is collected, used and disclosed. You can learn more about the specifics of the Privacy Act here.
Who does it apply to?
The Privacy Act applies to Australian Government agencies and to organisations with an annual turnover of more than $3 million, which can include a body corporate, a trust, a partnership, an unincorporated association, or a sole trader/individual.
However, some small businesses (with an annual turnover of $3 million or less) are also covered if they operate in the health or financial services sectors, or trade in personal information.
Previously, only companies with an Australian link had responsibilities under the Privacy Act, however, changes made in December 2022 mean that any foreign entity carrying on a business in Australia will be covered under the Privacy Act if they meet the other requirements.
Potential penalties are high!
Following changes in December 2022 the potential penalties for breaches under the Privacy Act have increased significantly. The Federal Court is now empowered to fine a company in breach of the Act:
- $50 million (up from $2.2million);
- Three times the value of benefits obtained or attributable to the breach (if this can be determined); or
- 30% of the company’s adjusted turnover during the breach turnover period.
- A court may also order an infringement notice, an enforceable undertaking, or award an injunction for a breach of the Privacy Act.
What now for Medibank?
The good news for Medibank is that their cyber attack and data breach occurred prior to the increased penalties coming into place. We’ll be keeping an eye on the Federal Court to see how the matter progresses and will provide updates on anything that may prove valuable for other businesses.
Please contact our Intellectual Property Team if you have any concerns about how the privacy rules may apply in your business and whether you are ensuring your business complies with its obligations.
For further information please contact Ben Gouldson.
The assistance of Amelia Bourke Legal Assistant in researching this article is gratefully acknowledged.
IP Australia Revises its Fees