The risk of pre and post Completion cybersecurity incidents is now a feature of the Australian deal landscape. In the recent ACL case1, the Federal Court imposed a $5.8 million Privacy Act penalty on Australian Clinical Labs, following a data breach which occurred shortly after ACL had acquired Medlab. The magnitude of the penalty illustrates the significant impact of a cyber incident on the business case, and the need for a robust approach to cybersecurity due diligence (as well as addressing cyber risks during integration and post-Completion).
In brief
- The recent ACL case has key legal and operational lessons for lawyers advising corporate clients on acquisitions, particularly those involving target entities with significant personal information holdings (or otherwise representing a heightened cybersecurity or data risk).
- The outcome of that case was that the Federal Court imposed a $5.8 million penalty on ACL for breaches of the Privacy Act following a data breach affecting over 223,000 individuals.
- The data breach occurred shortly after ACL had acquired Medlab without identifying or remediating serious cybersecurity vulnerabilities. The penalty is broadly considered to be the ultimate consequence of inadequate cybersecurity diligence review as part of the acquisition, and consequent failures to remediate cybersecurity readiness and resilience.
- The risk of pre and post Completion cybersecurity incidents is a feature of the deal landscape. Given the potentially significant impact on deal economics and viability (including as a result of regulatory investigations, penalties and class actions), the decision serves as a wakeup call on the need for robust cybersecurity due diligence.
The context: The ACL case
The deal that came before the penalty
- In December 2021, ACL (a listed entity and one of Australia’s largest private hospital pathology businesses) acquired Medlab, a privately owned pathology business with services in New South Wales and Queensland. The deal involved (relevantly) the acquisition of two operating laboratories and associated IT systems.
- The due diligence which was undertaken was primarily based on a cybersecurity and privacy questionnaire which was completed by Medlab staff.
- On 25 February 2022, prior to Medlab’s IT systems becoming integrated with ACL’s, a threat actor known as the Quantum Group attacked Medlab, impacting systems storing user profiles, processing patient data, and creating and distributing Medlab’s reports.
- ACL instructed a third-party cybersecurity firm, StickmanCyber, to investigate and respond to the incident, but that investigation failed to detect any data exfiltration. Following notifications from the Australian Cyber Security Centre (ACSC), ACL later identified that sensitive data from over 223,000 individuals had been published on the dark web, including financial details, tax file numbers, ID information, contact and health information. The data breach notification to the Office of the Australian Privacy Commissioner (OAIC) was made very late as a result.
- The findings underpinning the penalty were based on a Statement of Agreed Facts and Admissions (meaning the penalty was based on an agreement negotiated between ACL and the OAIC). The factual findings included the following:
- The cyber incident occurred during the 6 month period in which ACL was integrating Medlab’s IT systems into its core IT environment post-acquisition.
- ACL had failed to identify and respond to deficiencies in Medlab’s IT systems pre- and post-acquisition.
- ACL was aware that Medlab’s systems were immature in terms of their cybersecurity controls, and was exposed to heightened cybersecurity risks.
- From pre-acquisition due diligence, ACL understood that Medlab did not have sophisticated IT and cybersecurity processes in place, and had not conducted audits or vulnerability or penetration testing in the preceding three years. However, the due diligence failed to identify critical weaknesses in Medlab’s IT systems, including outdated software, lack of file encryption, inadequate authentication measures and insufficient firewalls and antivirus protection.
(For those interested in more details on the ACL case, we explored the privacy and other implications in depth in an earlier article – link to article here.)
Some comments on the magnitude of the penalty
- On 8 October 2025 Justice Halley ordered the first civil penalty under the Australian Privacy Act, in the (agreed) sum of A$5.8M arising from a 2022 data breach involving the personal information of 223,000+ Medlab customers.
- The ACL penalty was imposed for admitted conduct that represented a ‘serious interference’ with privacy under the previous Privacy Act penalties regime, which provided for a maximum penalty of $2.22 million per contravention.
- The current penalty regime provides for much higher maximum penalties for serious interferences with privacy - up to $50 million, three times the benefit gained from the breach or 30% of a company's turnover, per contravention. There are also lower penalties for less severe contraventions.
- Somewhat concerningly, Justice Halley specifically queried during the hearings in the matter whether the penalty was high enough.
- The Federal Court treated each of the 223,000+ affected individuals as separate contraventions (the Australian Privacy Commissioner has been strongly advocating for this approach in recent times), but sensibly took into account in assessing the appropriate penalty that this was in effect a single course of conduct.
- It is worth noting that the financial penalties are just part of the equation. A major cybersecurity incident can cost millions of dollars, and the largest breaches tens to hundreds of millions (including incident response costs, systems remediation/upgrade, reputational damage, business interruption losses, and the costs of penalties and litigation (including class actions). This type of risk magnitude can obviously undermine the deal business case.
- It is in that context that we suggest it is timely to ensure an appropriately disciplined approach is being taken regarding cybersecurity due diligence.
Cyber incidents: A feature of the deal landscape
Key ‘before and after’ actions for managing cyber risk
We’ve advised a number of clients on pre and post Completion cyber incidents. We’re seeing a growing need for four key actions:
- deal business cases need to appropriately provision for cyber, IT and privacy risk;
- deal documents need to be carefully cognisant of cyber incident and privacy risk, including how the risk will fit with material adverse change (MAC) clauses and warranties;
- practices around cyber due diligence need attention to ensure companies aren’t walking into significant risk and costs; and
- the plan for post-Completion IT remediation and integration needs to be robust, and implemented with appropriate governance, oversight and accountability (too many cyber incidents we’ve seen involve ‘legacy’ infrastructure which wasn’t updated in time or left on the sidelines but still connected).
Cyber DD post-ACL: What does good look like?
Particularly for targets with extensive data holdings, who hold sensitive data types or have sensitive operations (healthcare, financial services and critical infrastructure are good examples), or who are technology heavy businesses, robust cyber due diligence is needed.
While we note that cyber and IT risks can never be entirely eliminated (however robust the due diligence), the level of risk associated with IT systems, security controls and data holdings can be more clearly understood.
From our experience with pre and post Completion incidents, as well as IT, privacy and cyber due diligence over time, we offer the following observations on due diligence post-ACL:
- A clear understanding of IT and cyber systems, controls and risk is important. The risk magnitude can significantly impact deal economics (the privacy penalty in the ACL case equates to ~10% of the purchase price).
- Cyber risk can be heightened in separation and data migration processes. If the target is undertaking these types of activities, transitional arrangements and vendor contract terms may warrant more detailed scrutiny (eg to check that the risks are appropriately managed and/or flowed down).
- Cyber due diligence needs to be carefully considered, with appropriate levels of enquiry conducted depending on the business type.
- A ‘desktop’ review of key policies/documents and historical incidents will not be adequate to surface ACL-type risks.
- Of course, some desktop review of papers is important. For example, an understanding of the cybersecurity posture and level of investment in key IT systems over time is important, and will need to be gathered from analysing key management, strategy and board papers. The ACL case also highlighted the usefulness of understanding the adequacy of cyber incident response plans to enable a comprehensive and tightly run incident response if an incident was to occur.
- Robust technical due diligence to examine cybersecurity posture, control effectiveness and data governance risk is strongly recommended. This should be undertaken by experts. The timing and cost need to be factored into deal processes.
- Penetration testing of the organisation should be considered depending on the nature of the business, particularly if large consumer-facing data holdings are in play, if the stakes are high for another reason, or if it hasn’t been recently undertaken.
- The outcomes of cybersecurity diligence review, including known risks (eg outdated software, lack of encryption), must be flagged and addressed in transaction documents and integration or post-Completion plans, as well as called out in due diligence reports.
- Purchasers who would prefer not to undertake technical due diligence in relation to cybersecurity risk should adopt an ‘if not, why not? approach to that decision, with clear, risk-based justifications.
- Vendors need to be prepared to engage with technical due diligence, or consider how they can address technical concerns at the outset through information provided in the data room and management or technical sessions with purchasers.
Footnote:
[View source.]
