Latest News

Let’s rewind in time to October 25, 2022, when Medibank reported to the OAIC a significant data breach involving Medibank and its subsidiary ahm. This was later revealed to have affected 9.7 million current and past customers. And we all know how the story ended with many Australian’s personal information disclosed on the dark web. 

The Breach and Its Aftermath 

According to Australian Privacy Principle (APP) 11.1, organisations are required to take reasonable steps to protect personal information against misuse, interference, and loss, as well as unauthorised access, modification, or disclosure. Following the breach, the OAIC launched an investigation into Medibank's data security practices to determine whether these measures were sufficient.

The OAIC's investigation could lead to substantial penalties if Medibank is found to have violated section 13G of the Privacy Act, which addresses significant or repeated privacy interferences. Legal proceedings have already commenced, with the OAIC alleging that Medibank:

• Failed to take adequate steps to protect the personal information it held, considering the size, resources, and nature of the data.
• Exposed millions of Australians to risks such as emotional distress, identity theft, extortion, and financial crime by allowing their data to be accessed on the dark web.
• Committed a significant breach of privacy under section 13G.

Potential Fines and Legal Ramifications

The court could impose severe penalties on Medibank, with fines reaching up to AU$2.22 million per affected individual. The total theoretical maximum could be AU$21.5 trillion, although this is highly unlikely.

Amendments to the Privacy Act in December 2022 significantly increased the maximum fines, which can now be:

• Up to AU$50 million, or
• Three times the benefit gained from the breach, or
• 30% of Medibank's annual revenue (AU$7.1 billion in 2022).

Ethical and Legal Duties in Data Protection

The Privacy Commissioner has underscored that organisations have both ethical and legal responsibilities to safeguard personal information. This case should prompt Australian businesses to enhance their digital defences in response to an evolving cyber threat landscape. While the Privacy Act does not explicitly impose an ethical duty, the Commissioner's comments signal a shift towards integrating ethical considerations into regulatory expectations.

Preparing for Privacy Act Amendments

The Australian government is expected to introduce further amendments to the Privacy Act in August, likely including a "fair and reasonable" standard for data collection and protection. This move suggests that the OAIC may enforce these ethical requirements more rigorously.

Steps for Australian Businesses

In light of these developments, Australian businesses should take proactive steps to ensure compliance and strengthen their data protection measures. Recommended actions include:

• Conducting a Data Governance Audit: Review and enhance data use cases, consent processes, and privacy documentation.
• Systems Audit and Upgrade: Update systems and procedures to support the operational impact of the proposed privacy regulations.
• Enhancing Data Governance: Improve data retention and destruction practices, cyber incident response strategies, and privacy documentation.
• Performing Privacy Impact Assessments: Implement formal assessments for high-risk use cases from a privacy perspective.

Not sure where to start?

The Medibank data breach highlights the critical importance of robust data security and the increasing scrutiny from regulators. With significant changes to the Privacy Act on the horizon, businesses must prioritise both legal compliance and ethical data handling practices to protect their clients and avoid severe penalties.

If you’d like to chat about how you can work towards getting prepared for new privacy regulations, contact us on 1300 901 835 or www.cyberunlocked.com.