There can certainly be no doubt that cyber security is a hot-button topic in boardrooms around the world at the moment. In recent years, corporations have become increasingly aware of the legal, reputational and financial risks associated with data breach incidents and cyber crime.

But what is less well known and reported on is the ability of governments and regulators to covertly and remotely hack into an entity’s electronic systems for various purposes, including corporate crime investigations.

Recent legislative developments in Australia (which mirror and in some ways extend similar legislation in the USA and UK) have strengthened the ability for regulators to conduct such covert activities.

Increasingly, these powers are also extending to information stored overseas, beyond the regulator’s jurisdiction.

This article focuses on recent legislative developments regarding covert hacking in Australia that your organisation needs to be aware of, and also touches on some new legislative approaches being adopted in the USA.

COVERT HACKING: RECENT LEGISLATIVE DEVELOPMENTS IN AUSTRALIA

Currently, there are multiple legislative schemes under which various Australian corporate regulators can access an organisation’s electronic systems (with or without their knowledge).

1. Law Enforcement (Powers and Responsibilities) Act 2002 (NSW) (LEA).

The relevant provisions within this legislation authorise state and Commonwealth police officers investigating serious offences – such as corruption or computer crimes – to obtain covert search warrants. The LEA also authorises the covert hacking of one electronic system to facilitate the hacking of other electronic systems, even if those systems are hosted outside NSW’s (or the Commonwealth’s) jurisdiction.

2. Crimes Act 1914.

The Commonwealth’s Crimes Act 1914 contains similar provisions granting powers to state and Commonwealth police officers as the LEA, although they are limited to a more narrow class of offences (primarily terrorism offences).

3. Surveillance Devices Act 2004 (Cth) (SDA).

Regulators or commissions with a focus on corporate crime have significant powers to obtain information through covert hacking, authorised by a warrant. For example, under the SDA, the Australian Crime Commission can apply for a surveillance device warrant which authorises the installation of a surveillance device on a premises, specified object or person. The SDA also allows for these warrants to be executed covertly. There is no specific provision that authorises the operation of such a device to extend outside Australia, but the SDA does allow for the extraterritorial operation of warrants by first obtaining the consent of an appropriate consenting official in the foreign country where the surveillance is needed.

In addition to the legislative schemes discussed above, the Commonwealth’s Telecommunications (Interception and Access) Act 1979 (TIA)authorises extensive warrant powers to various government agencies. The TIA broadly permits two types of warrants:

  • warrants to intercept telecommunications; and
  • warrants to access communications stored on a telecommunications carrier.

Additionally, in 2015, the TIA was amended to impose positive obligations on telecommunications carriers to store metadata that may be accessed with these warrants for two years.

Although the powers concerning interception warrants are technically limited to agencies such as the Australian Federal Police and the Australian Crime Commission,[1] the reality is that corporate regulators such as the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission may collaborate during an investigation and thereby indirectly benefit from the AFP’s powers under the legislation. For example, the legislation authorises the dissemination of information obtained by intercepting a communication to another agency if the information relates to the commission of a relevant offence in relation to that other agency.[2]

COVERT HACKING: RECENT LEGISLATIVE DEVELOPMENTS IN THE USA

In the United States, there are various legislative schemes under which regulators may covertly access an entity’s information. Most recently, the US Supreme Court has approved changes to Rule 41 of the Federal Rules of Criminal Procedure. (The new Rule 41 will take effect within the next several months, unless it is amended or blocked by Congress).

One potentially significant change to the Rule is that warrants will be allowed to be issued to law enforcement to remotely access, search, seize, or copy data when the location of the stored media or information has been concealed through technological means.

Effectively, this means that where mechanisms are used to mask the location of an IP address, a court will still be able to issue warrants for those devices. This is despite the possibility that the devices could be physically located anywhere in the world!

So what should your business take from these developments?

Legislative approaches to covert hacking being adopted in both Australia and the USA show how regulators now have increased powers to access information.

Your organisation needs to be aware of these powers when considering the scope of its corporate responsibilities and liabilities. Ensure you keep in mind that Australia’s legislation in particular has broad powers facilitating surveillance by many different agencies.

In light of recent international regulatory investigations and scandals such as those relating to UnaOil, FIFA, Leighton Holdings and the Sweett case, it is almost inevitable that in the future, these types of investigations will include evidence obtained via cyber surveillance by the relevant authorities.

The scope of these powers also provides a timely reminder of how vulnerable and dependent organisations can be on third party vendors, such as telecommunication carriers.