In August 2012, the Australian Government passed the Cybercrime Legislation Amendment Act 2012(Cth) (CLAA). The purpose of the CLAA was to enable Australia to accede to the Council of Europe Convention on Cybercrime (Cybercrime Convention), the only international treaty on cybercrime.
Cybercrime is a nebulous term. It can be summarised as any crime facilitated through information and communication technology (ICT), or crimes that actually target ICT networks, systems, and data, including confidential information and intellectual property.
Although Australia already complied with many of the Cybercrime Convention provisions, the CLAA means that Australia now meets all of the Cybercrime Convention requirements for members, including the obligation of telecommunication carriers to preserve data and meta-data. The CLAA should bolster the ability of Australian law enforcement agencies to prevent, investigate, and prosecute cybercrime offences. However, the CLAA is a reminder of the increasing threat cybercrime poses to Australian companies, including corporate espionage, data theft, business interruption and reputational damage.
What is the purpose of the Cybercrime Convention?
The Cybercrime Convention is an international response to the borderless nature of cybercrime. For example, a criminal based in Eastern Europe can steal Australian credit card data from the website of an online business based in South-East Asia.
The vast bulk of cybercrime, particularly targeting Australian companies, originates off-shore, and is often the result of well-organised and resourced organisations. Many of these criminal organisations are based in, or utilise ICT facilities based in, states with poor legislative or enforcement frameworks. This makes it virtually impossible for any state acting alone to locate or apprehend the responsible parties, or even to gather evidence about what occurred, and how.
The stated aim of the Cybercrime Convention is: “to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation”. The Cybercrime Convention encompasses offences against computer data and systems, computer-related forgery and fraud, content-related offences, and infringement of intellectual property rights.
The Cybercrime Convention also requires member states to provide mutual assistance to other member states. As well as harmonising national laws, the Cybercrime Convention aims to facilitate the sharing of intelligence, and to make it easier for member states to collect evidence from foreign jurisdictions.
What are the legislative changes in Australia resulting from the CLAA?
Australia’s federal cybercrime offences are contained in the Criminal Code Act 1995 (Cth) (the Criminal Code), and were actually based on the Cybercrime Convention. They are divided into two main groups: offences relating to telecommunication services (Part 10.6) and computer offences (Part 10.7).
The Criminal Code contains a number of offences relating to the unauthorised access, modification, or impairment of data and restricted data (sections 477.1, 477.2 and 478.1 of the Criminal Code). The CLAA broadened the scope of these offences. Prior to the CLAA, the offences required the relevant data to be owned by the Commonwealth, held by, or on behalf of, the Commonwealth, or that the access, modification or impairment was caused via a carriage service. The CLAA removes these limitations, so that any unauthorised access, modification, or impairment of any data is now an offence. This captures situations where employees modify data on-site without authorisation, or use local networks to conduct such acts.
Before the CLAA, section 477.3 of the Criminal Code created an offence for causing unauthorised impairment of an electronic communication to or from a computer, but only if the authorised impairment was caused through the use of a carriage service, or the electronic communication was sent to or from a computer owned by the Commonwealth. The CLAA amendments (based on the federal Parliament’s constitutional power to enact legislation with respect to external affairs, including in order to implement an international treaty or convention) now mean that any unauthorised impairment is an offence, regardless of how it occurs, or where the communication was being sent to or from. This expands the illegality of any conduct which diverts or redirects communications with a computer, including during a distributed denial of service (or DDOS) attack.
Also, the CLAA amended section 478.2 of the Criminal Code. Prior to the CLAA, it was only an offence to cause unauthorised impairment of the reliability, security or operation of data on a computer disk, credit card, or other storage device, if that device was owned by the Commonwealth. The CLAA removed that restriction, so that it is an offence to conduct such acts to any such device.
The CLAA also amends three other Acts:
the Telecommunications Act 1997 (Cth), relating to the obligation of carriers to preserve stored data and meta-data;
the Telecommunications (Interception and Access) Act 1979 (Cth), relating to the scope of telecommunication interception powers; and
the Mutual Assistance in Criminal Matters Act 1987 (Cth), relating to the cooperation powers of Australian law enforcement agencies with their foreign counterparts.
Although most of the amendments from the CLAA commenced in 2012, the changes to the Criminal Code only came into force on 1 March 2013.
Cybercrime and business
The criticality and ubiquitous nature of ICT for all businesses makes cybercrime highly lucrative, as sophisticated criminal organisations constantly search for, and exploit, vulnerabilities in these vast, interdependent ICT systems. Reports of high profile companies being “hacked”, with large volumes of customer account data published or sold for profit, occur on an almost daily basis. Although many cybercriminals are motivated by profit, companies are increasingly being targeted for other reasons, including corporate espionage, or to cause economic or reputational damage to the business, such as through a DDOS attack.
Beyond the consequences of lost revenue and reputational damage, there are a range of legal consequences that can arise from being the victim of cybercrime, including claims relating to breach of confidentiality or privacy, disclosure of third party trade secrets or intellectual property, breach of contract, or negligence. The likelihood of becoming a victim of cybercrime increases when the large number of service providers with access to company ICT systems and customer data are taken into account.
The financial, legal and reputational risks to Australian companies from cybercrime are real, and growing. In the recently released National Security Strategy, the Australian Government identified malicious cyber activity as a key national security risk, and announced the creation of the Australian Cyber Security Centre in response.
How to reduce the risks to your business
It is virtually impossible to guarantee that your company will not be the victim of a cybercrime incident. First, any ICT system that is connected to an external network is vulnerable to unauthorised access. Second, the rate of change in the field of ICT, the need for disparate platforms, software, and systems to interact with each other, and the unwitting acts of users themselves, all contribute to making ICT a relatively easy area target for criminal activity.
Thus is it incumbent on companies to take all reasonable steps to reduce the likelihood of such incidents from occurring, as well as increasing their ability to mitigate and manage any such incidents.
However, given that most companies outsource at least some aspect of their ICT systems, whether it is through hosted software or data storage, or ICT security services themselves, it is important to ensure that your service providers are as concerned about the security of your ICT systems as you are.
What protections can I include in contracts with ICT service providers?
For the same reasons you cannot guarantee the security of your systems, it will be very difficult to require your service providers to provide that protection. However, you could be left with very little protection if you limit security obligations to “best efforts”, especially if liability for loss of revenue, data loss or corruption is excluded.
As a result, it is worth considering some of these simple protections that can be included into agreements with service providers.
- Document service provider’s commitment to security - get your security expert to assess the service provider’s capability and track record in relation to security and ensure that anything that impresses them, or gives them comfort, is included in the contract as something the service provider is required to provide.
- Maintain security standards and protocols – it may be appropriate to require the service provider to have and maintain best-practice security systems and protocols. There may be a particular standard that you want them to sign up to (eg that they are certified under ISO 27001).
- Right to test and audit - You may seek to negotiate adequate rights to audit and even test the service provider’s security and compliance with their contractual obligations (in addition to any audit rights relating to records). Larger service providers often obtain independent security audits themselves and agree to provide the results (on a confidential basis) to their customers.
- Limit access as required – It is wise to include a restriction on service providers to ensure that they limit access to your company’s confidential or sensitive information to only those people within their organisation that have a business need to use and access that information. One of the reasons that the leak of the US diplomatic cables to Wikileaks occurred was because the relevant employee had access to large volumes of information without any business need for that access.
- Control remote access - The terms under which service providers can access your company’s ICT systems, particularly remotely, should be clearly specified in the service agreement (or in a separate remote access agreement). Depending on the nature of the systems that are accessible, it may be appropriate to ensure that the service provider maintains a log of all access to your company’s ICT systems, and that individual accounts are used by each of its employees to ensure traceability and accountability.
- Notice of issues - The service provider should be required to notify your company as soon as it becomes aware of any breaches of security or any suspected security incident (by its employees or otherwise) and provide all reasonably required assistance in investigating and mitigating the incident and protecting against future similar incidents.
Of course contractual protections are no replacement for good corporate policy on managing and protecting your data and ICT systems, and it may well be appropriate to ensure that the services to be provided by the service provider comply with those policies.
Where to for my company?
Except for telecommunication carriers, the CLAA does not have a direct impact on Australian companies. However, its introduction is a timely reminder about the real, growing, and evolving threat of cybercrime.
The scope and detail of contractual obligations relating to security will depend on the scope of the services and level of control the service provider will have to your ICT Systems and data.