A recent Federal Court decision in Australia has reinforced the growing expectation that organisations must take proactive and reasonable steps to protect personal and sensitive information from cyber threats.
The ruling followed a civil penalty hearing under the Privacy Act 1988 (Cth) and resulted in a multimillion-dollar penalty after a major cyber incident exposed the personal and health data of hundreds of thousands of individuals. The decision highlights how courts and regulators now assess cybersecurity maturity, governance, and preparedness when determining compliance with privacy obligations.
Cybersecurity Failures Under Examination
The Court examined whether reasonable steps had been taken to protect personal information before and after a ransomware attack affecting inherited IT systems following a business acquisition.
While some cybersecurity measures existed, the Court found that critical controls were missing or ineffective. These included deficiencies in incident response planning, monitoring, access controls, and data protection practices.
The judgment emphasized that reliance on external service providers alone is insufficient. Organisations must retain internal capability, oversight, and accountability for detecting, assessing, and responding to cyber incidents.
Application Whitelisting Identified as a Key Missing Control
One of the most significant findings was the absence of application whitelisting across affected systems. Without this control, unknown or unauthorised applications were able to execute, increasing the likelihood that malicious software could run undetected.
Application whitelisting is widely recognised as a foundational cybersecurity control. By allowing only approved applications to run, organisations can prevent malware, ransomware, and unauthorised tools from executing—even if they bypass traditional antivirus solutions.
The Court treated the lack of application whitelisting as part of a broader failure to take reasonable steps to reduce cyber risk, particularly given the sensitivity of the data involved.
Additional Security Gaps Highlighted
The decision also noted several other weaknesses that compounded the impact of the incident, including:
- Limited testing of incident response procedures
- Inadequate monitoring and short log retention periods
- No use of Data Loss Prevention (DLP) tools
- Lack of behavioural-based threat detection
- Absence of multifactor authentication for remote access
- Incomplete data recovery planning
- Insufficient cybersecurity training for key personnel
Together, these gaps reduced the organization’s ability to identify data exfiltration, assess breach severity, and meet mandatory notification timelines.
Broader Implications for Organizations
The Court reaffirmed that what constitutes “reasonable steps” under Australian privacy law depends on several factors, including:
- The sensitivity and volume of data held
- The size and sophistication of the organisation
- The prevailing cyber threat environment
- Known risks associated with the systems in use
Importantly, acquiring IT systems or data from another entity does not reduce responsibility. Organisations are expected to identify and remediate cybersecurity deficiencies promptly, particularly when handling sensitive personal or health information.
A Clear Message for Australian Businesses
This decision sends a strong signal that cybersecurity failures can result in substantial financial penalties, even in the absence of deliberate misconduct. Courts and regulators are increasingly focused on whether preventative controls were in place—not just how organisations respond after an incident occurs.
Controls such as application whitelisting, multifactor authentication, advanced monitoring, and tested incident response plans are no longer optional. They are fast becoming baseline expectations for compliance, risk management, and trust.