Accessibility Links
Home
Main Menu
Jurisdiction
Judges
Registrars
Courts & TribunalsAdministered by the Federal Court
International Programs
Corporate Information Reports, plans and other publications
Freedom of Information
Employment
National Court Framework
Access to Court Files & Transcript
Check the progress of a caseListing dates, Orders & links to judgments
Research Requests
Registry ServicesWhat Registries can & cannot do
Interpreters
Help for people with disabilities
Technology and the Court
Powers of a Registrar
Assisted Dispute Resolution (ADR)
Subscribe to Judgments & Events by NPA; Practice News, Daily Court Lists and more
National Practice Areas (NPAs)
Court Rules, Acts & Regulations
Practice Documents
Class Actions
Consultation & Liaison User group meetings, Harmonised Rules Committees (Bankruptcy & Corporations)
Appeals
Guides Including Bankruptcy, Corporations, Migration, Administrative & Constitutional Law and Human Rights; Communicating with the Court; Expert witnesses.
Use of Communication Devices
Forms Prescribed Under: Other Forms:
Difference Between Fees & Costs
Court Fees About Court fees including exemptions, deferral & refunds
Filing Filing & lodgement
Legal Costs
Interest Rates Pre-judgment & post-judgment interest rates
Court Sitting Dates
  • 2024
    • 5 February - 20 December
Full Court & Appellate Sitting Dates
  • 2024
    • 19 February - 1 March
    • 6 - 28 May
    • 5 - 30 August
    • 4 - 26 November
  • 2025
    • 3 - 28 March
    • 28 July - 29 August
    • 3 - 28 November
Daily Court Lists
Select state
Select a state registry to view the current court list: Select a state registry to view the current court list.
click map Western Australia Northern Territory South Australia Queensland New South Wales Victoria Tasmania Australian Capital Territory Australia
Register to receive daily court lists by email soon after they are published. Subscribe
Future Listings Find future hearing times and dates. Go to Federal Law Search
Library
Annual Reports
Judges' Speeches Current and former judges, including Welcome and Farewell ceremonies
Videos & Podcasts Videos, podcasts and online streaming
GlossaryGlossary of legal terms
Judgments About the judgments collection, including FAQs
I am a Party -
Information for Litigants
Jury Service
I am a Practitioner I am a witness I have been Subpoenaed
Guides
Online Services
You are here:

Federal Court of Australia

Australian Information Commissioner v Australian Clinical Labs Limited [2023] FCA 1517

File number(s):

NSD 1287 of 2023

Judgment of:

HALLEY J

Date of judgment:

1 December 2023

Catchwords:

PRACTICE AND PROCEDURE – application by respondent for suppression and non-publication orders pursuant to s 37AF(1)(b)(iv) of the Federal Court of Australia Act 1976 (Cth) –where information subject of the application may expose respondent to increased threat of cyberattack – application granted

Legislation:

Federal Court of Australia Act 1976 (Cth) ss 37AF, 37AG

Privacy Act 1988 (Cth) s 2A

Division:

General Division

Registry:

New South Wales

National Practice Area:

Commercial and Corporations

Sub-area:

Regulator and Consumer Protection

Number of paragraphs:

11

Date of last submission:

30 November 2023 (respondent)

Date of hearing:

Determined on the papers

Solicitor for the Applicant:

DLA Piper

Solicitor for the Respondent:

Gilbert+Tobin

ORDERS

NSD 1287 of 2023

BETWEEN:

AUSTRALIAN INFORMATION COMMISSIONER

Applicant

AND:

AUSTRALIAN CLINICAL LABS LIMITED (ACN 645 711 128)

Respondent

order made by:

HALLEY J

DATE OF ORDER:

1 DECEMBER 2023

THE COURT ORDERS THAT:

1.    Pursuant to s 37AF(1)(b)(iv) of the Federal Court of Australia Act 1976 (Cth) (Act), until further order of the Court, the following information in the concise statement, filed on 2 November 2023, is to be kept confidential and not published or otherwise disclosed to any person other than the applicant, the Australian Information Commissioner (and staff of the Office of the Australian Information Commissioner), the legal representatives retained by the applicant (including the applicant’s solicitors and barristers and any support staff of those solicitors and barristers), any experts retained by the parties to the proceeding, and the Court (and any Court staff or any other person assisting the Court), on the grounds that this order is necessary to prevent prejudice to the proper administration of justice under s 37AG(1)(a) of the Act:

(a)    the information contained in the last sentence of sub-paragraph 13(b);

(b)    the information contained in the fourth, fifth and sixth sentences of sub-paragraph 13(c); and

(c)    the information contained in the second and third sentences of sub paragraph 13(d).

2.    Costs of the interlocutory application dated 30 November 2023 be costs in the proceeding.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

HALLEY J:

A.    Introduction

1    On 23 November 2023, I made orders in these proceedings under s 37AF(1)(b)(iv) of the Federal Court of Australia Act 1976 (Cth) (FCA Act), that certain information contained in the concise statement filed by the applicant on 2 November 2023, the Australian Information Commissioner (AIC), be kept confidential and not published or otherwise disclosed, on the ground that the order was necessary to prevent prejudice to the proper administration of justice (Orders).

2    Relevantly, for present purposes, the Orders also included the following orders:

2.    The following information in the concise statement be restricted from inspection by and/or publication to persons other than the parties to this proceeding until 5 pm on 1 December 2023 or until further order of the Court, being:

(a)    the information contained in the last sentence of sub-paragraphs 13(b);

(b)    the information contained in the fourth, fifth and sixth sentences of sub-paragraphs 13(c); and

(c)    the information contained in the second and third sentences of sub-paragraph 13(d).

3.    Any application to extend the restriction from inspection of the information identified in Order 2 is to be filed and served and provided to the Associate to Justice Halley by no later than 5.00 pm on 30 November 2023 and any such application will be determined on the papers.

3    Pursuant to Order 3 of the Orders, the respondent, Australian Clinical Labs Limited (ACL), now seeks an order that the information identified in Order 2 of the Orders (Information), should also be made the subject of a confidentiality and non-disclosure order pursuant to s 37AF(1)(b)(iv) of the FCA Act.

4    This application is supported by an affidavit of Richard Harris, the solicitor for ACL, affirmed on 30 November 2023, in which he gives evidence, on information and belief from Sean Jackson, the Chief Information Officer of ACL and Rick Wittman, the Chief Information Security Officer of ACL, of potential risks and prejudice arising from publication of the Information.

B.    Relevant Provisions

5    Sections 37AF and 37AG of the FCA Act relevantly provide:

37AF Power to make orders

(1)    The Court may, by making a suppression order or non-publication order on grounds permitted by this Part, prohibit or restrict the publication or other disclosure of:

(b)    information that relates to a proceeding before the Court and is:

(i)     information that comprises evidence or information about evidence; or

(ii)     information obtained by the process of discovery; or

(iii)     information produced under a subpoena; or

(iv)     information lodged with or filed in the Court.

(2)    The Court may make such orders as it thinks appropriate to give effect to an order under subsection (1).

37AG Grounds for making an order

(1)    The Court may make a suppression order or non-publication order on one or more of the following grounds:

(a)    the order is necessary to prevent prejudice to the proper administration of justice;

(b)    the order is necessary to prevent prejudice to the interests of the Commonwealth or a State or Territory in relation to national or international security;

(c)    the order is necessary to protect the safety of any person;

(d)    the order is necessary to avoid causing undue distress or embarrassment to a party to or witness in a criminal proceeding involving an offence of a sexual nature (including an act of indecency).

(2)    A suppression order or non-publication order must specify the ground or grounds on which the order is made.

C.    Consideration

6    ACL advances the following submissions in support of its application for an order under s 37AF(1)(b)(iv) of the FCA Act over the Information (The references to “Harris” are to paragraphs in the affidavit of Mr Harris):

(a)    First, if the Information is made publicly available it could be used by threat actors to carefully plan and design a cyberattack on the Respondent’s systems, which, in turn, is likely to increase the likelihood of further attempts by threat actors to seek to access ACL’s systems and, as such, the risk that such an attempt might be successful. As a result, public access to the issue poses increased risks to the security of the personal information of the Respondent’s patients and staff held in those systems and potential harm ([16] of Harris);

(b)    Second, ISO and NIST are comprehensive, prescriptive, and well-known standards that are routinely used by organisations such as the Respondent to assess the suitability of their IT and cybersecurity policies, procedures and systems. Sophisticated threat actors, including state-sponsored threat actors, (and potentially even unsophisticated threat actors) will invariably have a good understanding of what each of those standards require, including what certain ratings assigned in accordance with those standards means about an organisation’s IT systems and cybersecurity posture. Knowledge of a rating provided in accordance with either an ISO or NIST standard would allow a potential threat actor, with reference to what is and/or is not required in accordance with these standards, to determine reasonably accurately what IT and cybersecurity controls have and/or have not been implemented by an organisation and leverage that information to design a cyberattack focussed on any gaps ([17](a) to (c) of Harris];

(c)    Third, the Paragraph 13 Information contains the Respondent’s ratings following its recent ISO and NIST audits, the disclosure of which would give rise to particular risk to ACL, its staff and its patients. A threat actor could use that confidential information to design an attack focussed on controls that only organisations with higher ratings would have in place ([17](d) of Harris];

(d)    Fourth, the Applicant has queried the currency of the Paragraph 13 Information including because the Respondent’s ISO and NIST ratings were issued between 2020 to 2022 (T4: 23-35 of CMH on 23 November 2023). However, the nature and broad scope of these audits means that uplift by an organisation in accordance with these standards can take considerable amounts of time and resources, such that the results of audits conducted years ago (including only 3 years ago in 2020) are not necessarily historical or fully superseded in every single respect and require ongoing investment and improvement. Sophisticated threat actors would also be aware of this. Threat actors with access to ISO and NIST scores are in a position to significantly increase their chances of a successful attack by making assumptions of the rate of improvement organisations generally make post an ISO or NIST assessment. Therefore, they can design an attack with assumptions of the level of defensive controls they must overcome, if they know the recent ISO or NIST ratings.

7    I am satisfied for the following reasons that an order is to be made pursuant to s 37AF(1)(b)(iv) of the FCA Act that the Information is to be the subject of a confidentiality and non-disclosure order, on the ground that the order is necessary to prevent prejudice to the proper administration of justice under s 37AG(1)(a) of the FCA Act.

8    First, I accept the submissions made by ACL that the Information has the potential to provide specific insight into ACL’s IT and cybersecurity posture and infrastructure that could be leveraged by threat actors to cause significant prejudice and harm to ACL and ACL’s staff and patients.

9    Second, I do not accept AIC’s submission, advanced in the course of a case management hearing before me on 23 November 2023 and in correspondence with ACL’s solicitors, that the Information could not expose ACL to an increased risk of cyberattack by a threat actor as it merely concerns historical findings”. Seeking to characterise material as “historical findings” fails to recognise that it is inherently difficult to speculate on the use that cyber threat actors may make of the Information, given the potential insight that information might provide of ACL’s present IT and cybersecurity infrastructure.

10    Third, AIC is responsible for enforcing the Privacy Act 1988 (Cth) (Privacy Act). In this proceeding, the AIC seeks declarations relating to alleged breaches of the Australian Privacy Principles and the Privacy Act. Pursuant to s 2A(a) of the Privacy Act, one of the objects of the legislation is “to promote the protection of the privacy of individuals” and under s 2A(d), another object of the legislation is “to promote responsible and transparent handling of personal information by entities”. In my view, the disclosure of the Information is inconsistent with the objects of the Privacy Act, outlined in s 2A, for which the AIC is responsible and that the orders sought in ACL’s application are, therefore, necessary to prevent prejudice to the proper administration of justice.

D.    Disposition

11    Orders are to be made in substantially the same form as sought by ACL in its interlocutory application dated 30 November 2023.

I certify that the preceding eleven (11) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Halley.

Associate:

Dated:    1 December 2023

Top