The unauthorised access and release of personal information has never been more prevalent. The Australian Signals Directorate has reported that it received notifications of cybercrime once every six minutes in the 2023 financial year. For the individuals whose personal information is released, the consequences can be dire. For the companies that hold that data, the regulatory consequences can be multitudinous and ongoing.
The Australian government has recently voiced in principle support for the removal of the small-businesses exemption from the Privacy Act 1988 (“Privacy Act”). While the details and timeline for that reform are currently unclear, there is a strong likelihood that the coverage of the Act will expand in the foreseeable future. Actions taken by government of late indicate just how far reaching the impacts of cyber incidents can be – not only for those responsible for the cyber incident, but also for organisations that are the supposed “safekeepers” of personal information.
In this article, special counsel Alistair Bridges and lawyer Emily Schilling track the unfolding regulatory consequences arising out of Medibank’s 2022 data breach, to illustrate the prolonged hangover that follows a cyberattack.
Two investigations, one class action and no (injunctive) relief
In 2021 Medibank was involved in a large-scale cyberattack that saw hackers gain access to Medibank’s internal systems, hold its files to ransom and then release the personal information they had obtained, reportedly including names, dates of birth, addresses, Medicare and passport numbers, as well as medical claims data. It was a catastrophic event affecting approximately 9.7 million current and former Medibank customers.
Consequently, the Information Commissioner (“Commissioner”) within the Office of the Australian Information Commissioner (“OAIC”) is carrying out two concurrent investigations in relation to the data breach.
- The first investigation is a commissioner-initiated investigation, established by the Commissioner in December 2022.[1] The Commissioner is seeking to assess whether Medibank’s acts or practices in relation to the data breach constitute an interference with the privacy of an individual or a breach of the Australian Privacy Principles (“APPs”) contained within the Privacy Act. Specifically, it examines whether Medibank complied with APPs 1.2 (whether reasonable steps were taken steps to implement practices and procedures to uphold the APPs), 11.1 (whether reasonable steps were taken to protect personal information) and 11.2 (whether personal information that was no longer needed was destroyed or de-identified).
- The second investigation follows a receipt of a “representative complaint” – essentially a complaint made by an individual on behalf of a class of individuals, in this instance any individual whose personal information was exposed as a consequence of the data breach. The complaint alleges that Medibank breached APP 11 and so interfered with the privacy of those class members.
When the investigations conclude, the Commissioner may determine that Medibank has “engaged in conduct constituting an interference with the privacy of an individual”, and declare that Medibank should take a particular action to ensure that the conduct is not repeated, or that the individuals affected are entitled to compensation, amongst other declarations.[2] Indeed, the representative complaint reportedly sought compensation for loss and damage arising from the data breach. Unlike with common law generally, compensation under the Privacy Act can be awarded for injury to a person’s feelings and humiliation.[3] If Medibank is found to have made serious and/or repeated interferences with an individual or individuals’ privacy, it may also face a fine of AUD50 million.[4] Ultimately, if declarations are made the Commissioner (or complainant) will need to initiate proceedings in the Federal Court to have them enforced.[5]
As if this were not enough, Medibank is also facing a class action for compensation for damages arising out of the data breach. Reportedly, the proceeding is based on the argument that Medibank represented that it would comply with, and would maintain systems for ensuring compliance with, various APPs, but did not have reasonable grounds for making those representations and therefore breached sections 18 (“misleading or deceptive conduct”) and 29 (“false or misleading representations about goods or services”) of the Australian Consumer Law. If Medibank is found to have breached the Australian Consumer Law, it may face a financial penalty equivalent to the greater of AUD50 million, three times the value of the “reasonably attributable” benefit obtained from the conduct, or 30 per cent of the adjusted turnover during the breach period.[6]
In the face of these complications, Medibank sought an injunction against the OAIC investigations, on the basis that the simultaneous operation of the investigations alongside the class action would pose “a real risk of interference with the administration of justice”.[7] In other words, Medibank argued that the regulatory actions could result in different outcomes in relation to the same set of facts.
The court handed down its judgment in late February. Whilst the Federal Court accepted that the concurrent operation of the different actions could theoretically interfere with the administration of justice, it held that the application of these principles to the present context did not warrant the injunction being granted. This is because, in part, Commissioner determinations are “not of themselves binding or conclusive”,[8] they must be enforced by courts, and that the Commissioner is likely to make a determination before the class action is listed for trial (if it so proceeds to trial), and can ensure there are no inconsistent findings. So, despite the factual and legal overlap between the investigations and the class-action proceedings, all three remain on foot.
Sanctions for cybercriminals
Of course, Medibank is not the party that accessed the personal information without authorisation, nor is it the party that published that information on the dark web. The Australian government has gone after the actual perpetrators of the data breach, and they have done so in a rather unique way – under Australia’s Autonomous Sanctions Act 2011 (“ASA”).
While Australian sanctions are generally adopted to address, redress or otherwise influence matters of international concern, amendments were made to the ASA in late 2021 that allow the Minister for Foreign Affairs (“the Minister”) to apply sanctions to individuals and entities involved in, among other things, significant cyber incidents occurring anywhere in the world. On 23 January 2024, after 18 months of investigation involving the Australian Federal Police and the Australian Signals Directorate, the Minister sanctioned a Mr Aleksandr Gennadievich Ermakov – a Russian hacker who the investigation linked to the Medibank data breach. Not only is it the first time someone has been penalised for the 2022 Medibank data breach, this also marks the first time that the government has utilised the significant cyber incidents sanctions regime.
New “doxxing” laws target perpetrators at home
This willingness to pursue those responsible for data breaches can also be seen in the government’s recent announcements regarding "doxxing”. For those unaware, doxxing is the act of maliciously publishing an individual’s personal information online, such as their name, phone number and address, without their consent. It is malicious because the person (individual or entity) releasing the information intends to cause harm (i.e. to encourage forum-users to harass a particular individual).
To curtail this practice, the government has proposed a set of reforms to the Privacy Act, which include the introduction of a statutory tort for “serious invasions of privacy”. This would allow individuals to seek redress for doxxing via the courts. While these reforms are still in their earliest stage – public consultation closes on 28 March 2024 –- the Government’s intent to dissuade the misuse of personal information is clear.
No doubt this will progress alongside the range of other reforms already being proposed to modernise and increase Privacy Act protections (for more information on these existing reforms see our previous article). This would add another string to the bow of regulatory consequences for the perpetrators of data breaches.
Maintain the walls to prevent the flood
In these matters, the best defence is a strong offence, which in this sense encompasses having robust information systems, processes and procedures in place. This minimises the chance of the organisation’s information being accessed and disclosed without authority, and in turn increases the organisation’s compliance with Privacy Act obligations. Failure to embed such systems, processes and procedures into an organisation’s operations can expose it to investigations, class actions and public criticism.
For more information on privacy and sanctions laws, including how your organisation can comply with Australia’s privacy and sanction regimes, please contact our regulatory team.
[1] In this investigation, the Commissioner is investigating Medibank’s personal handling practices and whether Medibank took reasonable steps to implement practices and procedures to uphold the Australian Privacy Principles (section 40(2) of the Privacy Act). As the name suggests, this investigation is being carried out on the Commissioner’s own initiative.
[2] Privacy Act, s 52(1).
[3] Privacy Act, s 25.
[4] Or 3 times the value of the benefit obtained reasonably attributable to the conduct constituting the contravention or 30 per cent of the adjusted turnover during the breach turnover period; Privacy Act, s 13G.
[5] Privacy Act, ss 25, 55A and 80U.
[6] Competition and Consumer Act 2010, Schedule 2, section 151.
[7] Medibank Private Limited v Australian Information Commissioner [2024] FCA 117, 3.
[8] Medibank Private Limited v Australian Information Commissioner [2024] FCA 117, 116-189.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2024
