Cyber Security in Australia

Is it unlawful in this jurisdiction to access third party data without authorisation. Is it unlawful to store data which has been accessed without authority?

Yes. There are a number of criminal offences under Federal and State laws in relation to the unauthorised access of data, which potentially carry prison sentences. The severity of the offence is largely related to the intention of the perpetrator on accessing and using the data. For example, if the data is accessed for the purposes of committing a further crime the punishment is more severe. Persons who aid, abet, counsel, or procure someone to commit a criminal offence (which would likely include someone who stored data they knew to be improperly obtained or encouraged data to be improperly obtained) will also commit an offence. A person who assists the perpetrator after the data has been improperly obtained may also be guilty of an offence depending on the intention behind the accessing and use of the data by the original perpetrator. The unauthorised access of data is not recognised as a traditional theft under Australian law. In terms of civil actions, the unauthorised access of data may amount to a trespass. If the data accessed is confidential, there may also be claims available in contract (if there is a contractual obligation to keep the data confidential, which is common in many employment or business contracts) or in equity for breach of confidence (if the confidential information is improperly obtained or imparted in a manner which requires it not to be divulged). If a person is asked to store data which they know to have been obtained improperly, a claim may also be made against them for a breach of confidence.

Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used?

If you know who has taken the data or the identity of the person associated with the IP address of the device which accessed the data or where the data is being held there are options available to apply to access the copy of the data taken, find out information about who accessed the data and determine how the data may have been used. If the identity of the person(s) who either committed the data breach or are storing or have stored the data at some point in time is known, the matter could be referred to the police or civil proceedings could be commenced to get access to information or documents. There are two civil processes which may be appropriate depending on the circumstances: preliminary discovery and/or search and seizure orders. Preliminary discovery proceedings require an individual or company to produce documents so that either the identity of a potential defendant(s) can be determined or the plaintiff can assess whether there is a case to be made. Preliminary discovery may be sought where there is an issue about whether the access to data was authorised or whether the data was used to the detriment of its owner. If the only information known about the perpetrator of the data breach is the IP address associated with the breach, a preliminary discovery application could be made against the relevant Internet or cloud service provider to determine the identity of the account user. Search orders are sought in the context of actual or anticipated civil proceedings. It is therefore necessary to know who is or are the intended defendant(s) to the civil proceedings. A search order requires the addressee to permit a team, comprised of the plaintiff’s solicitor, an independent solicitor and where appropriate, an independent computer expert, to enter specific premises to search, inspect and either copy or remove documents (including storage drives or computers where documents are stored electronically). Documents which are removed are not ordinarily provided to the plaintiff immediately but an order may be made for inspection by the plaintiff of those documents. In order to obtain a search order there must be a strong prima facie case against the defendant(s) and a real possibility that the defendant(s) may destroy or hide important evidentiary material. If civil proceedings for breach of confidentiality obligations are brought and are ultimately successful, one of the orders made may be for the delivery up of the data accessed, damages or an account of profits.

Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process?

Yes. In all Australian jurisdictions there is an express or implied obligation upon parties to only use documents produced in response to compulsory processes for the purposes of the proceeding in which they are produced. In relation to preliminary discovery proceedings, the information or documentation can be used to commence the proceedings anticipated. It is possible to apply to the court under which jurisdiction the documents were produced to seek leave to use the information for the purposes of another proceeding and/or to disclose these documents to relevant law enforcement authorities.

Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information?

Ordinarily no, but it is possible to ask the Court to make a suppression or non-publication order to keep the proceedings or their subject matter confidential. There is, however, a high threshold for meeting the requirements for the granting of a suppression order. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? Yes, if proceedings are stopped in a manner which does not result in a final determination of the issues in the proceeding. For example, withdrawing, discontinuing or staying the proceeding will usually not prevent a plaintiff from commencing proceedings either in this jurisdiction again or in another jurisdiction. However, there may be an issue if there is a final judgment or if the proceedings are “dismissed” or if proceedings are actively on foot in two jurisdictions at the same time which cover the same issues. As the description for the options for stopping proceedings may differ between Australian jurisdictions, it will be necessary to check the rules of the relevant court to determine the options for stopping the proceedings and the effect of utilising each option.

Is there an obligation in your jurisdiction to hold personal information securely?

Yes. Australian Privacy Principle 11 requires that certain regulated entities take such steps as are reasonable in the circumstances to protect personal information from misuse, interference and loss and from unauthorised access, modification and disclosure.

Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions?

Yes. The Privacy Act 1968 requires that the transferring party must take such steps as are reasonable to ensure that the overseas recipient does not breach Australian Privacy Principles. In addition, unless certain disclosures are made and express consent obtained on the basis of the disclosures, the transferring party remains strictly liable for any data breach by the overseas recipient.

Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction?

No.

Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction?

Possibly. If the data breach was committed in the state of New South Wales and an individual knows or believes that it was done with the intention to commit a further crime and has information which that person believes might be of material assistance in securing the apprehension of the offender or their prosecution, that person may commit an offence if they do not, without reasonable excuse, bring the crime to the attention of the appropriate authorities. While the offence of failing to report is rarely prosecuted in practice it is something that should be considered. The other Australian jurisdictions generally only make concealment of the data breach an offence if the concealment was in return for some gain. Again, while the bar for committing such an offence is quite high, this is a question that victims of a data breach should consider as part of dealing with a data security incident.

Are there sector specific mandatory data breach notification obligations in your jurisdiction?

Yes. Prudential standards promulgated by the Australian Prudential Authority require notification of significant prudential breaches, including breaches associated with the integrity and security of data systems.