New privacy rules make cyber governance ‘non negotiable,’ Grant Thornton says

In October, pathology business Australian Clinical Labs (ACL) was issued with a $5.8 million fine for failing to take reasonable steps to protect customer data, following a breach which saw personal information of over 223,000 customers leaked to the dark web.

The breach happened after ACL acquired the assets of another pathology firm, Medlab. Federal Court documents noted that the cyber attack occurred in February 2022, on the computer systems that ACL had acquired from Medlab in December 2021.

The court found that ACL had failed to take reasonable steps to carry out a “reasonable and expeditious” assessment of the attack and whether it constituted an eligible data breach under the Privacy Act.

Grant Thornton cyber risk consultants, Daniel Farthing and Matthew Green, said the steep penalty demonstrated the importance of being proactive about cyber security risks throughout transactions.

“The court’s findings make it clear that privacy and cyber obligations are immediate and non-negotiable from the point of acquisition, and that governance failures – both technical and procedural – will be scrutinised,” Farthing and Green wrote.

Grant Thornton said the case had highlighted the importance of conducting deep cyber due diligence prior to an acquisition to identify inherited risks, and underscored the fact that privacy responsibilities began as soon as an acquisition was complete.

“Privacy and cybersecurity responsibilities begin the moment an acquisition is completed. Acquiring companies cannot defer these obligations until post-integration, and the court found ACL’s delayed approach unreasonable,” the consultants wrote.

They added that organisations were expected to document incident response decisions, escalation paths and rationales in real time when cyber attacks occurred.

“This forensic approach is essential for demonstrating compliance and effective governance during regulatory review or litigation,” the consultants noted.

The $5.8 million penalty signalled that the Office of the Australian Information Commissioner (OAIC) was escalating its regulatory enforcement when it came to consumer data and privacy.

To mitigate legal and reputational risks, Grant Thornton urged organisations to conduct deep cyber due diligence during transactions and establish strong cyber security controls from day one of acquisition.

They also reiterated the importance of regularly assessing the effectiveness of privacy and cyber controls, and ensuring ongoing oversight of breach readiness and governance.

“The ACL case reinforces that privacy and cybersecurity are no longer operational concerns – they are governance imperatives. Boards and executive teams must treat breach readiness, acquisition risk, and third-party oversight as core components of enterprise risk management,” the consultants wrote.