OAIC takes legal action against Medibank: a wake-up call to prioritise data protection and privacy

Brenton Steenkamp, Utsab Banskota, Eleanor Dickens, John Dieckmann, Sharon Segal, Monique Azzopardi, David Benson, Sam Fiddian, Angie Freeman and Robert Dearn
02 Jul 2024
3.5 minutes

The protection of customer personal information should be an integral part of an organisation's core mission and values, rather than an afterthought.

The OAIC has initiated civil penalty action against Medibank in the aftermath of the 2022 data breach which affected approximately 9.5 million past and present customers. The OAIC proceedings could result in Medibank being liable for potentially significant civil penalties. The ongoing ramifications associated with the Medibank data breach involving personal and sensitive information is a reminder for organisations to proactively identify and manage privacy risks associated with their personal information holdings and to implement reasonable measures to safeguard such information.

Key takeaways from the Medibank data breach

  • Privacy is a corporate responsibility that demands Board level consideration: Irrespective of the court's final decision on the penalty amount, this incident underscores a reality that significant customer data breaches have the potential to cause catastrophic financial impacts on even the largest corporations. In an era where, on the one hand, organisations are collecting and processing large volumes of customer data and, on the other hand, there is an increasing number of sophisticated cyber-attacks, it is imperative for company Boards and leadership teams to actively oversee organisational privacy policies and practices and foster a culture of responsibility and accountability. This should start with organisations understanding the nature of their data holdings, including personal information holdings, and establishing "fit for purpose" governance arrangements.
  • The downstream impact and repercussions of a data breach on customer privacy can be very high and long-lasting, potentially leaving the company's reputation irreparably damaged: According to the Victoria Police submission to the Commonwealth Parliamentary Joint Committee on Law Enforcement "Inquiry into the capability of law enforcement to respond to cybercrime", over 11,000 cybercrime incidents have reportedly been linked to the Medibank data breach. With the health and medical information of millions of customers compromised, it is probable that this number will continue to rise in the future. When such breaches occur, the downstream impact can extend far beyond immediate financial losses, encompassing a range of issues from legal liabilities to long-term customer distrust.
  • Taking reasonable steps to protect personal information is imperative for organisations: For Commonwealth government agencies and private sector organisations regulated by the Privacy Act 1988 (Cth), Australian Privacy Principle 11.1 mandates such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. The reasonable steps that an entity takes will depend on the circumstances, including (among others) the amount and sensitivity of personal information that an entity holds and the possible adverse consequences for a person in the case of a privacy breach. As the OAIC guidelines on APP 11 state: "Generally, as the amount and/or sensitivity of personal information that is held increases, so too will the steps that it is reasonable to take to protect it."
  • The OAIC alleges that, in the case of the 2022 Medibank data breach, Medibank failed to take reasonable steps to protect the personal information it held from misuse and unauthorised access or disclosure having regard to its size, its resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach.

Key areas of focus for data protection

Organisations must realise that the potentially great value and advantages gained from utilising customer data comes with an even greater responsibility to safeguard it. The protection of customer personal information should be an integral part of an organisation's core mission and values, rather than an afterthought. This requires adequate consideration of security and privacy at a senior leadership level and sufficient investment in privacy and cyber security expertise, processes and technologies on a continual basis.

Below are some of the key things that organisations should consider doing:

  • Establish strong data management practices: Many organisations now collect and process large volumes of personal and sensitive information, which may be stored and managed across multiple environments. Strong data management systems and practices should be in place to ensure comprehensive visibility and control of customers' personal information throughout the data lifecycle and to prevent cyber security incidents that may compromise personal information.
  • Implement a robust privacy governance program: Organisations must adopt a comprehensive approach to privacy governance, which involves assigning clear accountability and responsibilities related to privacy across the entire organisation. This approach should ensure that privacy practices are in place to limit data collection and processing to what is essential and retaining the information only for the duration required by law. In framing their data retention and governance policies and program, organisations should consider the requirements at law in relation to data retention, together with the risks that can arise from retaining personal information for longer than is legally required.
  • Execute strong security management practices: Organisations must implement security measures and practices, commensurate with the threat landscape, to consistently safeguard customer personal information and tailor these protections based on the associated risks and impacts to the customer. It is vital for organisation to integrate adequate security protection throughout the data lifecycle to ensure reasonable mechanisms are in place to protect customer personal information at all times.
  • Test and validate ICT systems: Increasingly personal information is held or accessible through software and other ICT systems. It is important that organisations ensure that software and ICT systems that store or hold personal information (or which interoperate with such systems) are regularly audited, tested and validated (including through penetration tests) to ensure that they are robust and secure.
  • Train personnel at all levels: Everyone has a role to play in preventing cyber security incidents. It potentially only takes one person to click on a nefarious email link infected with a virus or malware for a data breach to result. Regular personnel training of privacy and cyber-security risks and prevention measures is vital.
  • Manage supply chain risks: Most organisations rely heavily on third party suppliers when it comes to the collection and management of the data they hold. Organisations should consider carefully the nature of the data controlled by third party suppliers and whether the systems, processes and procedures adopted by those suppliers are sufficient to manage the associated privacy risks. All of the above factors need to be considered in the context of the organisation's supply chain, as they effectively represent an extension of the organisation's operations and responsibilities. Other issues to consider include how the organisation will obtain ongoing assurance regarding the supplier's compliance and the measures the supplier is required to take to help manage cyber incidents. Procurement policies and templates should deal with these issues to ensure they are always front of mind.
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.