Why should we be worried about cyber security?

• If realised, cyber security risks have the potential to significantly disrupt your business operations. This can result in significant incident response costs, damage to your organisation’s brand and reputation, and depending on your response, shareholder or regulatory action.
• Managing cyber security risks requires strong leadership with the board working in concert with executives and technical teams to understand the organisation’s risk exposure. Encouraging an organisational culture that supports cyber security is important, as is supporting technical experts and information technology (IT) departments in their cyber security efforts.

Do you understand your threat environment?

• Understanding what systems are critical to core business operations, and their security posture, is integral to managing cyber security risks. Furthermore, in order to determine cyber security risks, you need to have an understanding of the threat environment in which your business operates.

Hacking (i.e. unauthorised access)

• In Australia, unauthorised access to computer systems is criminalised by both State and Federal legislation.
• In the Federal jurisdiction, hacking is criminalised under the Criminal Code Act 1995 (Cth) (“the Code”).
• Most commonly, persons suspected of engaging in cybercrime are charged pursuant to the Code, given its universal application in all States and Territories in Australia.
• Persons suspected of unauthorised access to computer systems are charged pursuant to s. 478.1 of the Code, which provides for the offence of “Unauthorised access to, or modification of, restricted data”.
• An example of state-based legislation criminalising hacking of private computer systems is Part 6 the New South Wales Crimes Act 1900 (“NSW Crimes Act”). Part 6 relates to “Computer Offences” and sets out multiple offences centred around unauthorised access, modification, or impairment of restricted data and electronic communications.

Phishing

• Phishing, being a form of online fraud, is criminalised under the Code in instances where the victim is said to be a Commonwealth entity. When the victim is a member of the public, charges are brought under parallel State or Territory legislation. In New South Wales (“NSW”), charges could be brought under s. 192E of the NSW Crimes Act, which criminalises the general offence of fraud.

Depending on the subsequent financial gain or loss suffered subsequent to the activity, the below charges are available:

• S. 134.2(1) – obtaining a financial advantage by deception.
• S. 135.1(1) – general dishonesty – obtaining a gain.
• S. 135.1(3) – general dishonesty – causing a loss.
• S. 135.1(5) – general dishonesty – causing a loss to another.
• For the charge to be proven, the prosecution must establish that the accused obtains or causes a financial advantage, gain or loss by way of deception or dishonesty. The maximum penalty for each offence is 10 years’ imprisonment.

• In the Federal jurisdiction, hacking is criminalised under the Criminal Code Act 1995 (Cth) (“the Code”).

NSW Crimes Act Part 6 Computer Offences.

• Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime
• Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime is criminalised by s. 478.4 of the Code,
• Possession or use of hardware, software or other tools used to commit cybercrime
• Possession or use of hardware, software or other tools used to commit cybercrime is criminalised by s. 478.3 of the Code, which provides for the offence of possession or control of data with intent to commit a computer offence.
• The maximum penalty for a contravention of s. 478.3 of the Code is three years’ imprisonment.
• ss 308F and 308G of the NSW Crimes Act.

Identity theft or identity fraud (e.g. in connection with access devices)

• Identity crime, and in particular identity fraud offences, are criminalised by Division 372 of the Code. Particular acts that are criminalised include dealing in identification information, dealing in identification information that involves use of a carriage service, possession of identification information, and possession of equipment used to make identification information.
• The offence of “Dealing in identification information that involves use of a carriage service” is most relevant to cybercrime. It is criminalised by s. 372.1A of the Code

Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)

• Electronic theft is criminalised by s. 478.1 of the Code. the unauthorised copying of data from a computer would contravene this offence provision.
• Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)
• Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data

Part 10.6 of the Code creates offences related to telecommunication services.

• They include offences relating to dishonesty with respect to carriage services and interference with telecommunications.
• Additionally, the above-mentioned Part 6 of the NSW Crimes Act would likely be an example of state legislation that could cover these types of activities.

Extended geographical jurisdiction 10.7 of the Code (Divisions 477 and 478).

• A person will not commit offences under that Part unless: the conduct constituting the alleged offence occurs wholly or partly in Australia, or wholly or partly on-board an Australian aircraft or an Australian ship; the conduct constituting the alleged offences occurs wholly outside Australia and a result of the conduct occurs wholly or partly in Australia, or wholly or partly on-board an Australian aircraft or an Australian ship; the conduct constituting the alleged offence occurs wholly outside Australia; and, at the time of the alleged offence, the person is an Australian citizen or at the time of the alleged offence, the person is a body corporate incorporated by or under a law of the

Mitigating Factors

• Section 16A of the Crimes Act 1914 (Cth) sets out matters for the Court to consider when passing sentences for federal offences, including offences against the Code.
• Matters that will generally mitigate a penalty include the timing of any guilty plea, the offender’s character, the offender’s prior record, assistance provided by the offender to the authorities and the offender’s prospect of rehabilitation and likelihood of reoffending. In some circumstances, the absence of intent to cause damage or make a financial gain could be taken into account by a sentencing court as a factor of mitigation, if this is not a necessary element of the offence.
• A number of the offences particularised above require intent to be proven to establish the charge. For example, a necessary element of s. 478.2 of the Code is that the defendant “intended to cause the impairment” to the data.

• the Privacy Act (Cth) (“Privacy Act”);
• the Crimes Act 1914 (Cth);
• the Security of Critical Infrastructure Act 2018 (Cth);
• the Code (Cth); and
• the Telecommunications (Interception and Access) Act 1979 (Cth).
• The Australian Securities and Investments Commission (“ASIC”) provides guidance to Australia’s integrated corporate markets, financial services and consumer regulator, and organisations through its “cyber reliance good practices”. The good practices recommend, inter alia, periodic review of cyber strategy by a board of directors, using cyber resilience as a management tool, for corporate governance to be responsive (i.e. keeping cybersecurity policies and procedures up to date), collaboration and information sharing, third-party risk management and implementing continuous monitoring systems.
• The Office of the Australian Information Commissioner (“OAIC”) recommends that entities have a data breach response plan that includes a strategy for containing, assessing and managing data breaches and strategies for containing and remediating data breaches.
• In February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 amended the Privacy Act to require Australian Privacy Principles (“APP”) entities to, as soon as practicable, provide notice to the OAIC and affected individuals of an “eligible data breach”, where there are reasonable grounds to believe that an “eligible data breach” has occurred. This process is called the Notifiable Data Breaches Scheme (“NDB Scheme”).

• A failure by a company to prevent, mitigate, manage or respond to an Incident may result in breaches of provisions of the Corporations Act 2001 (Cth).
• The Corporations Act 2001 (Cth) imposes duties on directors to exercise powers and duties with the care and diligence that a reasonable person would. A director who ignores the real possibility of an Incident may be liable for failing to exercise their duties with care and diligence.
• Are companies (whether listed or private) required under Applicable Laws to: (a) designate a CISO (or equivalent); (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform penetration tests or vulnerability assessments?
• NO. Presently not required for companies to designate a chief information security officer (“CISO”), establish a written Incident response plan or policy, conduct periodic cyber risk assessments or perform penetration tests or vulnerability assessments.

• Australian common law does not recognise a general right of privacy. The equitable cause of action for breach of confidence may provide a remedy for invasions of privacy.
• Traditionally, the elements are that information must be confidential, information must have been imparted in circumstances importing an obligation of confidence and there must be an unauthorised use of that information.
• The current doctrine of breach of confidence does not currently entertain cases of wrongful intrusion, as opposed to cases of wrongful disclosure of confidential information.
• The Privacy Act regulates the way Commonwealth agencies handle personal information.
• A person may apply to the Court for an order that an entity pay compensation for loss or damage suffered by the person if a civil penalty has been made against the entity, or the entity is found guilty of an offence under the Privacy Act.
• The High Court in ABC v Lenah Game Meats Pty Ltd (2001) 208 CLR 199 sanctioned the recognition of a tort of invasion of privacy.
• Judge Hampel in the case of Doe v ABC (2007) VCC 281 imposed liability in tort for the invasion of the plaintiff’s privacy.