“We allege Medibank failed to take reasonable steps to protect personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach,” the OAIC’s acting commissioner said on Wednesday.
But how the court will treat the alleged contravention of the Privacy Act is difficult to predict. The OAIC has taken similar action only twice previously and both cases are still grinding their way through the courts.
So in terms of precedent, there is none.
The OAIC’s first action, taken in 2020, was against Facebook’s owner Meta. The watchdog alleged that, “the personal information of Australian Facebook users was given to the ‘This is Your Digital Life’ app for a purpose other than the purpose for which the information was collected”.
“The information was exposed to the risk of being disclosed to Cambridge Analytica and used for political profiling purposes, and to other third parties,” the OAIC added.
The regulator is also running a Federal Court case against Australian Clinical Labs, in which it claims the company (also the victim of a data breach) failed to take reasonable steps to protect patients’ health information.
Loading
One curious element to Medibank’s cyber headaches was that the optics didn’t play out too badly for the insurer at the time. There was lots of noise and the share price tumbled but unlike Optus, many viewed Medibank as a victim rather than a company that should be blamed for lax diligence around protection data.
Membership numbers recovered as did profit. But in the most recent half-year results, Medibank said it expected non-recurring cybercrime costs to be between $30 million and $35 million in 2024. These costs are related to further IT security, legal and other costs related to regulatory investigations and litigation.
So, the ghosts of the cyberattack aren’t going to go away for Medibank anytime soon, but at least shareholders aren’t expecting the worst when it comes to the civil action lodged by the privacy watchdog.
Medibank shares slipped about 1.1 per cent on the news, shredding roughly $100 million off the insurer’s market value. A pretty tame reaction to the prospect of a hefty fine and potentially a loss of face for Medibank’s management.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.