ARTICLE
9 September 2024

Medibank's mistake is a privacy lesson for all businesses

CG
Clifford Gouldson Lawyers

Contributor

Clifford Gouldson Lawyers is a leading regional provider of legal services to the business, government and not for profit sectors. Established in Toowoomba more than 15 years ago with a commitment to offering specialised expertise in a regional setting we now provide our services across multiple offices within Queensland and interstate.
A good lesson in the importance of keeping your privacy and cyber security compliance standards high.
Australia Privacy

Anyone impacted by the cyber attack on Medibank Private Limited between August and October 2022 will be familiar with the importance of privacy laws in Australia.

And for businesses, both small and large, it's a good lesson in the importance of keeping your privacy and cyber security compliance standards high.

The Australian Information Commissioner has recently filed an application in the Federal Court against Medibank in relation to the October 2022 data breach, following an investigation by the Commissioner, after the personal and sensitive information of 9.7 million Australians was stolen and released on the dark web.

The Commissioner alleges that Medibank seriously interfered with the privacy of 9.7 million Australians, exposing them to the likelihood of serious harm, including potential emotional distress, and risk of identity theft, extortion and financial crime.

Privacy law in Australia

Privacy in Australia is regulated under the Commonwealth Privacy Act 1988, and separate privacy and information legislation in each state and territory.

This legislation governs standards, rights and obligations related to how personal information is collected, used and disclosed. You can learn more about the specifics of the Privacy Act here.

Who does it apply to?

The Privacy Act applies to Australian Government agencies and to organisations with an annual turnover of more than $3 million, which can include a body corporate, a trust, a partnership, an unincorporated association, or a sole trader/individual.

However, some small businesses (with an annual turnover of $3 million or less) are also covered if they operate in the health or financial services sectors, or trade in personal information.

Previously, only companies with an Australian link had responsibilities under the Privacy Act, however, changes made in December 2022 mean that any foreign entity carrying on a business in Australia will be covered under the Privacy Act if they meet the other requirements.

Potential penalties are high!

Following changes in December 2022 the potential penalties for breaches under the Privacy Act have increased significantly. The Federal Court is now empowered to fine a company in breach of the Act:

  • $50 million (up from $2.2million);
  • Three times the value of benefits obtained or attributable to the breach (if this can be determined); or
  • 30% of the company's adjusted turnover during the breach turnover period.
  • A court may also order an infringement notice, an enforceable undertaking, or award an injunction for a breach of the Privacy Act.

What now for Medibank?

The good news for Medibank is that their cyber attack and data breach occurred prior to the increased penalties coming into place. We'll be keeping an eye on the Federal Court to see how the matter progresses and will provide updates on anything that may prove valuable for other businesses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More