Australia’s approach to privacy and cyber governance is tightening, and recent enforcement actions show the increasing expectations placed on organisations that handle sensitive information. This shift became clear on 9 October 2025, when the Federal Court imposed a $5.8 million civil penalty on Australian Clinical Labs (ACL) following a cyber attack involving more than 220,000 individuals.
This article breaks down the key lessons and explains how recognised security frameworks, including SMB1001 and ISO 27001, help organisations strengthen governance and reduce regulatory exposure.
Under the Privacy Act, organisations must take “reasonable steps” to secure personal information and respond to data breaches quickly. The ACL ruling and civil penalty made it clear that regulators will not hesitate to act when these obligations are not met.
The case highlighted several critical issues:
For businesses handling sensitive data, this was a wake-up call. Compliance is not a “best practice” suggestion, it is now a demonstrable legal obligation.
1. Legacy and Acquired Systems Carry Hidden Risk
ACL’s inherited IT environment lacked modern controls. Regulators made it clear that newly acquired or third-party systems must meet the same standards as the rest of the organisation.
2. “Reasonable Steps” Now Means Demonstrable Maturity
The expected baseline for governance has risen. Risk-conscious organisations must be able to show:
3. Outsourcing Does Not Transfer Accountability
Even when cyber services are outsourced, regulated businesses retain oversight responsibility. External support must be monitored, reviewed and verified.
4. Notification Delays Worsen Liability
The court took issue with delays in assessing and communicating the breach. Organisations with strict compliance requirements must ensure they can investigate quickly and trigger notifications without hesitation.
5. Breach Impact Scales by Individual
Each affected person may be treated as a separate contravention. For organisations that store large datasets, this significantly increases the potential financial and reputational impact.
Organisations in health, finance, education, professional services, government supply chains and other regulated sectors must assume their data-handling practices could be examined after a breach.
This requires:
Cybersecurity is no longer simply an IT function; it is now core to organisational governance.
SMB1001
SMB1001 is specifically designed for Australian small and medium businesses looking to build stronger cyber maturity. It offers a tiered pathway from basic security hygiene to advanced governance practices.
It is particularly important for:
SMB1001 helps create consistency, repeatability and measurable security improvement.
ISO 27001
ISO 27001 is the globally recognised standard for establishing an Information Security Management System. It is more rigorous and documentation-heavy than SMB1001, but offers the highest level of assurance.
It is often expected for:
ISO 27001 provides international credibility and supports a mature security culture.
How They Support Each Other
For organisations with higher privacy obligations, using recognised frameworks formalises their security posture and strengthens defensibility.
Practical Steps for Risk-Conscious Organisations
Here are actionable steps for organisations preparing to strengthen their security posture:
How Step Fwd IT Supports Security-Focused Organisations
Step Fwd IT works with organisations that must meet higher compliance and privacy standards. Our approach is designed to support regulated businesses, sensitive-data environments and teams requiring a structured, defensible security posture.
We provide:
Our focus is on helping organisations build resilience, reduce risk and demonstrate strong governance.
Learn more on our IT Security page.
