Why Data Security Posture Management Is Becoming a Regulatory Expectation

In October, Australia quietly redefined what “reasonable” data protection means for every organization that handles sensitive information.

The Federal Court’s verdict against Australian Clinical Labs (Medlab) marks the first time in our region that a regulator has explicitly cited the absence of an effective Data Loss Prevention (DLP) control as a contributing factor in a data breach penalty.

The company was fined $5.8 million after a ransomware incident exposed personal and health data and of that, $800,000 was attributed specifically to their failure to understand their own data risk.

From the court’s own findings:

Data Loss Prevention was not used on the Medlab IT systems to detect or prevent the theft of personal information and data held on those systems.

This ruling didn’t just close a case. It demonstrated that when courts now levy data breach penalties, they are now inclined to assess whether proper data security controls were implemented or adopted. Organizations must be able to understand their data, measure their risk, and prove control over it.

The ruling expands what “reasonable steps” means for data protection across Australia and, by extension, the broader APAC region, shifting expectations from reactive security to proactive posture management. 

The New Regulatory Reality

Nearly all privacy and cybersecurity regulations in APAC including the Australian Privacy Act, Singapore PDPA, India DPDP and New Zealand Privacy Act hinge on three fundamental questions:

1- Are you a good custodian of the data you hold?

2- Do you know what data you have and where it resides?

3- Are you doing enough to protect it?

Until now, many organizations have answered those questions through policy, not practice. But the Medlab ruling signals a shift from guidance to enforcement. A DLP control is no longer “good to have.” It’s prescriptively mandated.

And as Data Security Posture Management (DSPM) becomes better understood and adopted, regulators will expect organizations to demonstrate that they not only have DLP, but that they know and understand their data risk. 

The Thought Leaders’ Data Security Cycle

At Forcepoint, we describe this journey as a continuous, five-stage cycle:

1- Discover your data: Identify where data lives across on-prem, cloud, SaaS, and AI systems to eliminate blind spots and strengthen compliance readiness.

2- Understand your data: Classify it by both content and context to accurately assess sensitivity, business value and exposure levels.

3- Prioritize your data: Determine which data is critical to your organization and where risk concentration exists.

4- Remediate your data risks: Archive stale and duplicate data, move mislocated files to the right repositories, enforce least privilege, and apply labels that support downstream DLP, mAI-safety controls and reduces the attack surface

5- Protect your data: Implement proactive and reactive controls through a unified platform with solutions such as continuously discover, classify and secure information in motion, at rest, and in use

Each stage strengthens your ability to confidently answer those three regulatory questions — and to demonstrate that your organization takes reasonable steps in both prevention and governance. 

Why This Matters Beyond Australia

Even if you’re outside Australia, this precedent matters. 

In common-law jurisdictions, legal findings in one country often influence future cases in others. More importantly, any company processing data from Australian citizens is now subject to these expectations.

We’re watching a global convergence where regulators are moving from education to enforcement. 

The expectation is no longer “Do you have security tools?” It’s “Can you prove you understand your data and have taken measurable action to protect it?” This expectation is driving a new standard: a shift from awareness to accountability. 

The Takeaway

This case formally recognizes what many in data security have long known: 
You can’t protect what you don’t understand.

Organizations that build their programs around visibility, classification and adaptive controls will not only reduce breach risk, but also demonstrate compliance and accountability in a way that auditors and customers can see.

DSPM and DLP together form the foundation of a full life-cycle approach to data security. It’s time for enterprises to move from reactive response to proactive posture management from awareness to accountability.

See how Forcepoint’s Data Security Everywhere approach empowers you to understand, protect, and prove control over your data—wherever it lives. Start with a free Data Risk Assessment.