By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.
The breach happened after ACL acquired the assets of another pathology firm, Medlab. Federal Court documents noted that the cyberattack occurred in February 2022, on the computer systems that ACL had acquired from Medlab in December 2021.
The court found that ACL had failed to take reasonable steps to carry out a "reasonable and expeditious" assessment of the attack and whether it constituted an eligible data breach under the Privacy Act.
Grant Thornton cyber risk consultants Daniel Farthing and Matthew Green said that the steep penalty demonstrated the importance of being proactive about cybersecurity risks throughout transactions.
"The court's findings make it clear that privacy and cyber obligations are immediate and non-negotiable from the point of acquisition, and that governance failures - both technical and procedural - will be scrutinised," Farthing and Green wrote in an insight.
Grant Thornton said the case had highlighted the importance of conducting deep cyber due diligence prior to an acquisition to identify inherited risks, and underscored the fact that privacy responsibilities began as soon as an acquisition was complete.
"Privacy and cybersecurity responsibilities begin the moment an acquisition is completed. Acquiring companies cannot defer these obligations until post-integration, and the court found ACL's delayed approach unreasonable," the consultants wrote.
They added that organisations were expected to document incident response decisions, escalation paths and rationales in real time when cyberattacks occurred.
"This forensic approach is essential for demonstrating compliance and effective governance during regulatory review or litigation," the consultants noted.
The $5.8 million penalty signaled that the Office of the Australian Information Commissioner (OAIC) was escalating its regulatory enforcement when it came to consumer data and privacy.
To mitigate legal and reputational risks, Grant Thornton urged organisations to conduct deep cyber due diligence during transactions and establish strong cybersecurity controls from day one of acquisition.
They also reiterated the importance of regularly assessing the effectiveness of privacy and cyber controls, and ensuring ongoing oversight of breach readiness and governance.
"The ACL case reinforces that privacy and cybersecurity are no longer operational concerns - they are governance imperatives. Boards and executive teams must treat breach readiness, acquisition risk, and third-party oversight as core components of enterprise risk management," the consultants wrote.