Cyberspace is widely growing space of
digital era which is more prone to cyber attacks related to data breaches and
cyber thefts. Organisations in this competitive edge don’t want to be front
headline of leading newspaper due to cyber breach. In order to be proactive in
this consent, one need to build defensive layer of security controls which cost
huge money investments depending upon size and depth of controls that varies from
organisation to organisation. Most organisation consider security
implementation as cost centre rather than business enabler that put them in the
lane of security breaches which results in loss of reputation, revenue, business
and legal consequences. So rather than spending huge money in security models,
one should have balanced compliance with the security legal frameworks that
gives businesses a confidence and minimise cyber-chain risks (Sans.org, 2018).
This article covers a brief description about various laws related to data security and breaches in Australia and their evolutions. It also highlights some of the state and federal specific requirements related to Australian government to which organisations are entitled to.
AUSTRALIAN CYBERCRIME PROTECTION
1. ACORN: Australia government has set up of online reporting network of consumer intelligences to report and cybercrime or new threat that affects Australians if not. It is an agency that delivers national plan to combat cybercrime. It acts as online resilience to cybercrime where public and organisation can online report cybercrime securely. It acts as club of national agencies and territory governance.
2. ACSC: Australia Cybercrime security centre defines various frameworks and guidelines in order to protect assets of organisation to avoid risks and threats. It gives industries enterprise risk management assurance and public-private hub for information sharing. It responds cyber threats to CERT (Computer emergency and response team).It works together with government, industry and Australians to increase cybercrime awareness at maximum. It basically works in collective mode with department of home affairs whenever tracing out new government policy against cybercrime.
LEGAL, LEGISLATIVE AND REGULATORY ENVIRONMENT
A set of guidelines are provided by
federal government to analyse organisation and its compliance with set of laws
prevalent in Australia. Australian cyber security centre (ACSC) draws a legal
framework for private and public sectors that needs to be followed primarily.
| LAWS | DESCRIPTION |
| AUSTRALIAN PRIVACY PRINCIPLES(APP) |
It is a part of amendment to privacy act 1983 that forms a set of APP’s applied both to federal government and private organisations that cross $ 3 million turnover. Most of states have their own data protection acts entitled to private organisations and state government agencies. Various amendments are: 1.Privacy and data protection acts(2014)-Victoria 2.Privacy and data protection act 1998-New south Wales 3.Privacy and information act 2009-Queensland 4.Personal information Privacy Act 2004 Tasmania 5. Information privacy Act 2014-Australian capital territory. 6. Information act 2002-Northern territory. |
| CYBERCRIME ACT |
Computer and internal related offences such as unlawful access and impeding access to computer, computer related fraud, cyber stalking and child pornography. It is related to integrity of electronic communication and electronically stored data. It was amended on 1st march, 2013 and establishes framework for Australian access to council of Europe convention on cybercrime that works in collaboration with mutual assistance in criminal matters act 1987(Cth), Criminal Act 1914(Cth), criminal code and telecommunication Act 1979,offenses related to cybercrime bill 477.1 entitled to unauthorised access ,modification of restricted data, supply of restricted data held in credit cards and many forth. |
| SPAM ACT(2003) |
Scheme for regulation of commercial emails and other type of electronic messages that restricts unauthorized messages with some exemptions. It is regulated by Australian communication and media authorities. Its fines non compliance firms up to 1.1 million dollars. (Acma.gov.au, 2018)Voice calls and fax messages are not covered by Australian media authority and managed by “do not call register. All messages should follow consent, identifiers and unsubscribe policies listed in this act. |
|
TELECOMMUNICATION ACT,1997(Interception and access) |
Primary objective is to protect privacy of individuals who use Australian telecommunication systems related to real time communications. It is amended to another law amended on 13 march,2015 through which(Alrc.gov.au, 2018) various agencies can access real time traffic after getting warrant from court .Metadata according to this law plays important role for national security agencies .Metadata includes telephone calls, websites access, geolocation details,. It works in collaboration with APP’s. |
| Cyber terrorism conventions |
ASIO responds to increased cyber threats that basically stand as advisor to improve national security by combating cyber terrorism with cyber security principles. This includes various laws: 1.Security Legislation Amendment (Terrorism) Act 2002 2.Suppression of the Financing of Terrorism Act 2002 (Cth) 3. Criminal Code Amendment (Suppression of Terrorist Bombings) Act 2002 (Cth). 4.Cybercrime bill 2012 |
Other Legislative Acts
It is entitled to government and
private organisations and their details can be accessed on comlaw.gov.in
| REFERENCE ACTS | CYBERSECURITY CONSIDERATIONS |
| Australian security |
Establishes ASIO frameworks and powers. It includes online reporting networks set up by ACORN (Australian online reporting network) and ACSC. It includes victims of cybercrime that can be Australian police agencies, criminal intelligence, media authorities, attorney’s general department, children e-safety commissioner, Australian consumer commission. |
| Intelligence organisation |
Provision for computer access and security |
| ASIO Act 1979 |
Assessment, listening and tracking of monitoring devices (Asio.gov.au, 2018). |
| Crime Act,1914 |
Related to offenses against state legislations |
| Electronic transaction Act,1995 | Related to electronic transactions |
| Intelligence services act |
That provides judicial support of Australian secret intelligence service, Australian signals directorate, which grants powers to Australian secret intelligence organisations |
CODE OF CONDUCT (GUIDELINES)
A specified set of standards agreed by signatories
that provides better consumer protection and minimise risks of threats.
- Guidelines for utilities: These highlights guidelines specified in ISO 27001, 27002, 27019 and NIST SP for security control systems.
- Guidelines for federal agencies: it gives set of rules for compliance with protective security framework to protect Australian citizens overseas and in their home country. Information and communication technology is protected by Australian signals directorate’s. State follows their own security management frameworks(ISM).
- Guidelines for banking industry: Cybersecurity guidelines are implemented by Australian securities and investment corporations. SIC implied to Australian stock exchange with prejudice of various guidelines listed in PPG 234 (Cryptographic controls), CPG 235(Managing data risk and governance), Australian Financial service licence (ASFL) maintaining client record and IT systems security.
- Guidelines for internet service providers: Data retention act, I codes (Industry codes) mentioned by internet industry association that encourage Cybersecurity culture within Australian ISP and customer.
MAJOR CHALLENGES FOR ESTABLISHING LEGAL ENVIRONMENTS
Although we have so many laws and collaborated guidelines that can ensure cyber security within consent but still cybercrime is increasing at a very rapid rate than a rate at which laws are being enacted and amended. Some of the challenges in this path line would be:
- Establishing international legal framework:
The first element of international
framework building is cyber terrorism and signing of international agreement
and acceptance of a set of definition on agreed terminologies related to cyber
crime at defence. United Nations has developed 14 conventions and 4 amendments
against international terrorism but they are not universally accepted and each
country follows their own federal rules and laws. International community has
stated this issue with creation of United Counter terrorism committee Executive
directorate (CTED) in 2010 that stated definition of cyber terrorism but it is
not being clear at state and domestic level. Various laws with support of
criminal cases provide laws and guidelines against cyber crime within Australia
territory but major concern relates to cyber crime carried out by criminal
overseas which is not having signed treaty with Australia. Lack of strong
international laws against cybercrime leads to criminals rapidly flourished in
borderless environments and lack of coordination among law authorities and
foreign policies. Law agencies are also limited to resources and personnel
training in terrorism Cyber terrorism is a legal issue but coordinated
international action is only way to tackle it. It demands strong cooperation
between industries and government agencies.
Creation of effective framework,
existing treaties and conventions must expand to more territories. Guidelines should be implemented
that should include mutual connections and sharing of information by
enforcement agencies. Any delay will give green signal to cyber criminals that
governments and international agencies have limited capacity to deal it with.
2. DELAY IN ENACTMENT OF LAWS:
Enactment of laws considers various
factors in different countries. Due to this, creations of ratified laws are
often delayed. Disparity between technological advances and ramifications in
legal processes leads to more and more threats in ever increasing social
networks.
3. LIMITATIONS IN SCOPE OF APPLICATIONS:
Absence of legal procedures on certain aspects make it difficult for investing
agencies related to access of information and private data.
4. LACK OF TRUST BETWEEN VARIOUS SECTORS:
various public and private sectors do not mutually connect and complies with
legislative framework that gives criminals enough space to attack one through
another.
5.CONFLICTS OF LAWS AND BASIC PRINCIPLES:
Blended laws that can be applied within state and political boundaries is
lacking more in australia.Some laws gives rights for proprietary information’s
,other leads to violations of human rights. Some laws can be implemented only
at state and other only at national level. We lack moreover mutually agree
treaties that can be implemented and a proper legal process can be carried out
at international boundaries as well. For example EU-US privacy shield protect
personal data of EU people if it is being transferred to US, It does not take
into account other countries.
UPDATIONS:
ANTI-ENCRYPTION LAW:
A new law has been passed in Australia
this month. Encryption acts like key to the door of protected information but
it experienced negative consequences as law enforcement agencies sometime not
able to access messages and protective data sent by attackers. This law was
imposed that forcefully sets backdoors to big companies from where various
investigating agencies can have direct access to all data and concerned
metadata credentials. Australia looked upon this issue after the hearing of FBI
against apple where apple request of prosecuting encryption has been overheard
and request denied. New law leads to list of pros and cons and conflict of
views as it impacts various big social networking industries like Facebook and
whatsapp to great extent.
IMPLICATIONS
- Leads to systemic weakness in traffic going through communications (Tech.slashdot.org, 2018).
- Legal implications of signed treaties and violations of rules in other countries
- Effect companies at global markets
These are all views by senior executives rest effects can be seen as time grows (Anon, 2018)(Anon, 2018).
CURRENT CYBERCRIME STATE:
- MALWARE AND MALWARE ATTACKS: More organisations are now being attacked by criminals with ransom wares through phishing attacks. This is merely due to lack of compliance and legal process for imposing security standards in the way advertisement network is being set up .This also includes lack of awareness by government and private industries employees that often become victims of attractive emails.
- POLITICAL ATTACKS THROUGH SOCIAL NETWORKS: They are not active attacks and results in anti discipline towards social peace as people belonging to political parties openly participate in debate and exhibits their freedom of expression and thoughts towards each other on social sites like twitter.
- ATTACK TOWARDS COUNTRIES DEFENSIVE CONTROLS: Countries are being attacked by cyber terrorists that lead to serious physical damage if not controlled and delayed. Internationals conflict of laws is major hurdle for a legislative framework to be followed and set up.
- CYBER BULLYINGS: Many cases have been heard where children are being major victims of these attacks that even leads to their suicide. Many laws have been enacted towards cyber stalking and Children Act 2005 but still there are major back holes that needs to be addressed (Anon, 2018).
REFERENCES
- Sans.org. (2018). SANS Institute: Reading Room – Legal Issues. [online] Available at: https://www.sans.org/reading-room/whitepapers/legal/concise-guide-australian-laws-related-privacy-cybersecurity-domains-36072 [Accessed 16 Dec. 2018].
- Acma.gov.au. (2018). Key elements of the Spam Act | ACMA. [online] Available at: https://www.acma.gov.au/Industry/Marketers/Anti-Spam/Ensuring-you-dont-spam/key-elements-of-the-spam-act-ensuring-you-dont-spam-i-acma [Accessed 16 Dec. 2018].
- Alrc.gov.au. (2018). Telecommunications Act 1997 (Cth) | ALRC. [online] Available at: https://www.alrc.gov.au/publications/71.%20Telecommunications%20Act/telecommunications-act-1997-cth [Accessed 16 Dec. 2018].
- Asio.gov.au. (2018). Australian Security Intelligence Organisation |. [online] Available at: https://www.asio.gov.au/ [Accessed 16 Dec. 2018].
- Anon, (2018). [online] Available at: https://www.upwork.com/hiring/development/trends-in-cyber-security-threats-and-how-to-prevent-them/ [Accessed 16 Dec. 2018].
- Tech.slashdot.org. (2018). Australia Passes Anti-Encryption Laws [Update] – Slashdot. [online] Available at: https://tech.slashdot.org/story/18/12/06/0358200/australia-passes-anti-encryption-laws-updatehttps://tech.slashdot.org/story/18/12/06/0358200/australia-passes-anti-encryption-laws-update [Accessed 16 Dec. 2018].
- Anon, (2018). [online] Available at: https://www.gizmodo.com.au/2018/12/the-internet-reacts-to-australias-anti-encryption-bill/https://www.gizmodo.com.au/2018/12/the-internet-reacts-to-australias-anti-encryption-bill/ [Accessed 16 Dec. 2018].
- TheSpec.com. (2018). Al-Anon on December 18,2018 | TheSpec.com. [online] Available at: https://www.thespec.com/events/8340671-669069-al-anon/ [Accessed 16 Dec. 2018].
Updated 21 March 2026
Editor’s note (accuracy review): This article was written in late 2018 and describes the Australian cybercrime and data protection landscape as it stood at that time. Readers should be aware of the following significant developments since publication.
Privacy Act reforms: The Privacy Act 1988 (Cth) has undergone substantial reform. The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2021 increased penalties for serious or repeated privacy breaches significantly. Further reforms followed with the Privacy and Other Legislation Amendment Act 2024, which introduced a statutory tort for serious invasions of privacy, enhanced enforcement powers, and other changes. The threshold for the Australian Privacy Principles (APP) regime — the $3 million turnover figure mentioned in the article — remains subject to ongoing review and proposed removal, though as of the date of this review that threshold has not yet been formally abolished. Readers should check the current status of Privacy Act reform directly with the Office of the Australian Information Commissioner (OAIC).
Notifiable Data Breaches scheme: The article does not mention the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018 under Part IIIC of the Privacy Act 1988 (Cth). This is a material omission for any organisation covered by the APP regime.
Assistance and Access Act (anti-encryption law): The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, referred to briefly at the end of the article, has since been partially amended by the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021. The legal and practical operation of this regime has continued to develop and remains controversial.
Online Safety Act 2021 (Cth): A significant piece of legislation not covered by the article, the Online Safety Act 2021 (Cth) replaced the Enhancing Online Safety Act 2015 and substantially expanded the regulatory framework for online safety in Australia, including new powers for the eSafety Commissioner.
ACORN: The Australian Cybercrime Online Reporting Network (ACORN) referenced in the article was replaced by ReportCyber, operated by the Australian Cyber Security Centre (ACSC). The ACSC itself has since been consolidated within the Australian Signals Directorate (ASD) following structural changes to Australian cybersecurity governance.
Comlaw.gov.au: The article directs readers to comlaw.gov.au, which is no longer the official source for Australian legislation. Federal legislation is now accessed via legislation.gov.au.
Overall, while the article provides a useful introductory overview of the framework as it existed in 2018, it is now materially outdated in several respects and should not be relied upon as a current statement of Australian cybercrime or privacy law.
