Australian Cyber Laws
Laws in Australia relating to cyber crime include
· Privacy act
· Crimes Act
· Security of critical infrastructure
· Telecommunications interception and access
The most recent amendment to the law is in relation to critical infrastructure. The law shares responsibility between government (state and federal) and organisations to ensure data safety of critical infrastructure such as hospitals and power networks.
A large component of the changes in the law is in relation to reporting. The privacy act requires that organisations report as soon as practical the possibility of a data breach. This reporting needs to be done to the Australian Information Commissioner and affected individuals. It is important to include in the report an overview of the type of data breached and the extent of the breach. When reporting to affected individuals it is important to also include recommendations as to what an individual may do in response to the data breach.
Failing to comply with a notification obligation may result in fines. The maximum fine a court can impose is AUD $2.1 million. Fines are imposed using penalty points. After July 2020 a penalty point is valued at AUD $222.
The Australian Government in fighting ransomware does not condone the payment to cyber gangs. Australia is being encouraged to fight back by saying no and raising the alarm early. To this end the authorities are looking to get involved early and are concerned that some business have in the past refused assistance in dealing with cyber criminals. The law allows for law enforcement to use covert digital operation and other investigatory powers to catch and help organisations during an attack.
Australia law does not however stipulate how an organisation can counter or protect itself from cyber criminal activity. The law does not yet require that organisations have an incident response plan or policy, conduct cyber risk assessment or perform vulnerability tests. Technology methods including honeypots and sinkholes are not legislated against as a method of protection or attack. As cyber criminal activity increases with a 60% hike in ransomware attacks over 2021 it is expected that laws will be called for that are more prescriptive of the expectations of how an organisation protects and defends itself from cyber-attacks.
A person/s suspected a cyber-crime which is “unauthorised access or modification of restricted data” can be convicted by one of the following elements of proof
· Causes any unauthorised access to or modification of restricted data
· The person intends to cause the access or modification
· The person knows that access or modification is unauthorised
A common cyber criminal activity is phishing which carries a maximum penalty of 10 years. To prove the charge, it must be established that the accused causes a financial advantage, gain or loss by way of deception or dishonesty.
As cyber criminal activity continues to rise it is expected that laws and regulations pertaining to the protection of Australian organisations will also increase. Organisation should prepare themselves by
· Putting in place cyber protection strategies
· Being aware of reporting regulations and put in place activities to identify cyber criminal activity aimed against the organisation
· The gathering of evidence
· Restoration plans for affected data by the organisation and affected individuals