The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023. The decision follows the OAIC’s preliminary inquiries into the matter, commenced in June 2023.

The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.

The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred.

This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Australian Privacy Act 1988.

Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.

https://www.oaic.gov.au/newsroom/oaic-opens-investigation-into-hwl-ebsworth-over-data-breach