The recent Federal Court decision involving Australian Clinical Labs (ACL) marks a pivotal moment for privacy, cybersecurity, and governance in Australia.
The case – which settled for $5.8 million – arose after a significant cyber incident at MedLabs, a business acquired by ACL, and has far-reaching implications for boards, cyber professionals, risk managers, internal auditors and M&A teams. The court’s findings make it clear that privacy and cyber obligations are immediate and non-negotiable from the point of acquisition, and that governance failures – both technical and procedural – will be scrutinised.
This decision signals a new era of regulatory enforcement where the Office of the Australian Information Commissioner (OAIC) is prepared to litigate and set precedent, and where the lines between privacy, cybersecurity, and corporate governance are more tightly drawn than ever.
Key takeaways:
- Cyber due diligence must be deeper: Understanding technical and procedural cyber security vulnerabilities and limitations during due diligence is paramount. The court found ACL failed to do this sufficiently.
- Privacy obligations begin on Day 1: Privacy and cybersecurity responsibilities begin the moment an acquisition is completed. Acquiring companies cannot defer these obligations until post-integration, and the court found ACL’s delayed approach unreasonable.
- Accountability cannot be outsourced: Relying solely on external advisors to determine breach notification is not a valid defence. The acquiring entity remains fully accountable for privacy and cyber obligations, regardless of third-party input.
- Cybersecurity failures are potentially privacy breaches: The distinction between cybersecurity and privacy failures is narrowing. Technical lapses in security can directly result in privacy violations, increasing regulatory scrutiny.
- Governance and oversight are central: The court emphasised that governance failures – especially in decision-making and oversight – are as critical as technical controls. Boards must ensure robust oversight and clear accountability for cyber and privacy risks.
- Forensic incident response required: Organisations must document incident response decisions, escalation paths, and rationales in real time. This forensic approach is essential for demonstrating compliance and effective governance during regulatory review or litigation.
- Regulatory enforcement is escalating: The OAIC is now prepared to litigate and set legal precedents, signalling a more assertive regulatory posture and higher potential penalties for non-compliance. An increased regulatory focus introduces not only greater legal risk but also the prospect of costly and time-consuming litigation, which can divert resources and attention away from core business operations.
Practical considerations for boards and risk leaders
Organisations must move beyond surface-level due diligence and compliance and truly embed robust, evidence-based controls into their operations. To mitigate risk and demonstrate a proactive approach, organisations should:
- Conduct deep cyber due diligence during transactions, including inherited environments and third-party dependencies. This should go beyond surface-level assessments and include a clear plan for uplift and integration.
- Establish a Day 1 uplift plan for privacy and cybersecurity controls, with clear accountability and board oversight. This includes identifying inherited risks, assigning ownership and ensuring early remediation.
- Regularly assess the effectiveness of privacy and cyber controls, using internal governance mechanisms and recognised frameworks such as the Australian Cyber Security Centre (ACSC) Essential Eight, ISO 27001 and the National Institute of Standards and Technology (NIST) SP 800-53. These assessments should be sufficiently robust, comprehensive, and supported by evidence to demonstrate that controls are not only in place but are operating as intended.
- Maintain forensic documentation of incident response decisions, including escalation paths and rationale. This is essential for demonstrating compliance and governance during regulatory review or litigation.
- Ensure ongoing oversight of breach readiness and governance, particularly where internal capability is limited. This may include assigning clear roles, maintaining breach playbooks and conducting scenario-based exercises.
The ACL case reinforces that privacy and cybersecurity are no longer operational concerns – they are governance imperatives. Boards and executive teams must treat breach readiness, acquisition risk, and third-party oversight as core components of enterprise risk management.
How we can help
Our Risk Consulting team helps businesses with comprehensive due diligence, cyber and privacy services. We can help your organisation to understand it's risk profile, implement appropriate mitigations and safeguards, improve governance frameworks and manage cyber incidents. Contact us if you would like to understand what this means for your business.
Learn more about how our Cyber security services can help you
![Decision handed down on YTL Power Investments Limited v Commissioner of Taxation [2025] FCA 1317](/globalassets/1.-member-firms/australian-website/mid-size-business/medium-blocks/gtal_2025_adi_strategy_589x658.jpg)
