Cyber Crime & Information Security A Legislative Regime. Dr. Adrian McCullagh Information Security Institute Queensland University of Technology

Similar documents
CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations

The Convention on Cybercrime: A framework for legislation and international cooperation for countries of the Americas

Legal Guide to Relevant Criminal Offences in Victoria

ONLINE TRADING AGREEMENT

Technology and the Law. Jackie Charles

Enforcement guidelines. October 2015

Telecommunications (Consumer Protection and Service Standards) Act 1999

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

Cybercrime Legislation Amendment Bill 2011

Chapter 11 The use of intelligence agencies capabilities for law enforcement purposes

GUEST WIFI NETWORK. Terms and Conditions and Acceptable Use Protocol

Student/Queensland Health Terms of Agreement Information for Students

LEGAL GUIDE TO RELEVANT CRIMINAL OFFENCES IN WESTERN AUSTRALIA

Bahrain s Draft Law on Computer Crimes

Tertiary Education Quality and Standards Agency Act 2011

Legal Supplement Part C to the Trinidad and Tobago Gazette, Vol. 56, No. 52, 18th May, 2017

Investigatory Powers Bill

Queensland FREEDOM OF INFORMATION ACT 1992

Bringing Employees to Work in the UK: Becoming a Sponsor

APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

Conflict of Interest. Policy (Australia) Legal. Version 1.0 Definitive

Disability Discrimination Act 1992

26 July 2011

Hacking and the Law. John MacKenzie

Compliance approach in the Product Emissions Standards Bill 2017

Project on Cybercrime

This policy sets out how we collect, use, disclose and protect personal information which we have collected or acquired.

KENYA GAZETTE SUPPLEMENT

Q. What do the Law Commission and the Ministry of Justice recommend?

Surveillance Devices Act 2007 No 64

LEGAL GUIDE TO RELEVANT CRIMINAL OFFENCES IN TASMANIA

Hackers in Hong Kong and the attitude of Hong Kong Courts towards hacking. David Leung, 11 November 2000

National Security Legislation Amendment Bill (No. 1) 2014 No., 2014

DATA PROTECTION LAWS OF THE WORLD. Egypt

AUSTRALIAN CAPITAL TERRITORY. Mediation Act No. 61 of An Act relating to mediation and the registration of mediators

Surveillance Devices Act 2007

CYBERCRIMES AND CYBERSECURITY BILL

CHECKPOINT MARKETING FOR FIRMS LICENCE AGREEMENT

THE COMPUTER MISUSE ACT, Arrangement of Sections PART I PRELIMINARY PART II OFFENCES

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

State Records Act 1998 No 17

AIA Australia Limited

2. What are the main types of encryption mostly encountered during criminal investigations in cyberspace?

Cybersecurity Counter-offensive. Asia Pacific Guide

Electronic Transactions Act, Act, Act 772 ARRANGEMENT OF SECTIONS. Object and scope of the Act

Conflict of Interest. Policy (Australia)

THE INFORMATION TECHNOLOGY ACT, 2000 ARRANGEMENT OF SECTIONS

Analysis of the Workplace Surveillance Bill 2005

Electoral and Referendum Regulations 1940

TM2/TM3 Online Terms and Conditions

End User Licence Agreement

Legal Profession Uniform General Rules 2015

Amasci Creative Limited HOSTING AGREEMENT

Analysis of Directive 2013/40/EU on attacks against information systems in the context of approximation of law at the European level

Ethical Hacking. Countermeasures Version 6. Hacking Laws

ASSETMARK TRUST COMPANY TOTALCASH MANAGER TM ACCESS AUTHORIZATION AGREEMENT

Australasian University Safety Association 2016 Fiona Austin

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

LME App Terms of Use [Google/ Android specific]

Australian Security Intelligence Organisation Act 1979

Table: Government response to PJCIS recommendations on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

You and Your Records Management Obligations

DATA PROTECTION LAWS OF THE WORLD. South Korea

A FEW COMMENTS ON THE COUNCIL OF EUROPE CONVENTION ON CYBERCRIME

UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE

CHAPTER 308B ELECTRONIC TRANSACTIONS

TRADING TERMS OF KLINGER LTD

Software Support Terms and Conditions

Legal Alert? December 2013? Cyber Security, Risks and Crimes In this Issue:- 1. Legal Alert? December 2013? Cyber Security, Risks and Crimes 2.

MINISTRY OF COMMUNICATIONS AND INFORMATION TECHNOLOGY (Department of Information Technology) NOTIFICATION New Delhi, the 11th April, 2011

Privacy. Purpose. Scope. Policy. Appendix A

Legal Challenges in Digitalization and Privacy in Industry 4.0

Workplace Surveillance Act 2005

Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5

Client Service Agreement

Connectivity Services Information Document

Legislative Brief The Information Technology (Amendment) Bill, 2006

FREEDOM OF INFORMATION

Protected Disclosure Act Policy and Procedures

Article 1 Definitions In these Internet Terms and Conditions the capitalised terms listed below have the following meaning.

Illegal Logging Prohibition Act 2012

Associations Incorporation Act 2009 No 7

Rail Safety (Adoption of National Law) Act 2012 No 82

GENERAL TERMS AND CONDITIONS FOR THE SUPPLY OF GOODS AND SERVICES

Census and Statistics Act 1905

Data Protection in Germany

UNAUTHORISED USE OF YOUR IMAGE

CRIMES AMENDMENT (SEXUAL OFFENCES) BILL 2008

Proposal for a COUNCIL FRAMEWORK DECISION. on attacks against information systems. (presented by the Commission)

PRIVACY Policy. 1. Policy Statement. 2. Purpose. 3. Policy

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

Clinical Trial Research Agreement

Key elements of the Work Health and Safety Bill

In this agreement, the following words and phrases shall have the following meanings unless the context otherwise requires:

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

"Certification Authority" means an entity which issues Certificates and performs all of the functions associated with issuing such Certificates.

Emissions Trading Scheme. Single Union Registry. Terms and Conditions for UK Aircraft Operator Holding Accounts. Version 1.0: 03 February 2012

Go Online Return Service Terms & Conditions

RETAIL CLIENT AGREEMENT. AxiForex Pty. Ltd. Level 10, 90 Arthur St, North Sydney, NSW 2060 AUSTRALIA

Transcription:

Cyber Crime & Information Security A Legislative Regime Dr. Adrian McCullagh Information Security Institute Queensland University of Technology

Agenda Introduction Telecommunications Cyber crimes Act Federal Criminal Code Queensland Criminal Code Privacy Issues Conclusion 2 12/03/2003

Introduction Promoting a Culture of Cyber Security The Australian Federal Government in recent years have undertaken a number of steps in promoting a culture of cyber security. These steps have included: The establishment of a Trusted Information Sharing Network that comprises various parties and industry associations directly involved with Critical Infrastructure; The enactment in 2001 of the Cyber Crimes Act which substantially improved the legal basis covering cyber crimes; The extension of the Privacy Act in 2001 to cover more private organisations that hold personal information; The enactment of the Federal Criminal Code especially division 12 which covers corporate Culture of Non-compliance with Federal, State or Territory Laws. The recently published Security Breach Disclosure Guidelines by the Privacy Commissioner.

Introduction Promoting a Culture of Cyber Security There are two principal difficulties in developing a national approach in Australia for promoting Cyber Security: Federated Environment : the Federal Government must operate within the scope of the Australian Constitution which at time can be restrictive in developing a national approach; In many industry sectored covering Critical Infrastructure the relevant infrastructure is owned by private organisations. For example, the Banking system, Telecommunications infrastructure, most transport is either privately owned or operated by Government Owned Corporations, in some states the electricity network is privately owned whilst in other states it is owned by Government Owned Corporations.

Introduction Promoting a Culture of Cyber Security Fortunately the Commonwealth does have legislative power to regulate: Telecommunications; Banking. Unfortunately, the Commonwealth does not have direct power to regulate the Power Industry, but there has been some movement in this arena through the enactment and adoption by the State of the National Electricity Law.

Telecommunications Act 1997 Section 313 Obligations of carriers and carriage service providers (1) A carrier or carriage service provider must, in connection with: (a) the operation by the carrier or provider of telecommunications networks or facilities; or (b) the supply by the carrier or provider of carriage services; do the carrier s best or the provider s best to prevent telecommunications networks and facilities from being used in,, the commission of offences against the laws of the Commonwealth or of the States 6 and Territories. 14/03/2003

Telecommunications Act 1997 Applies to Carriers and Carriage Service Providers Carriage Service providers include ISP and content management providers. 7 14/03/2003

Telecommunications Act 1997 do its best : What do these words mean? Kendall v. Telstra Probably means do what is reasonable in the circumstances. Could it apply to say a denial of service attack which would be a crime under the Cybercrimes Act? Do carriers have an obligation to protect clients from such attacks? Do Consumers have a obligation to take reasonable actions to better protect their own systems against illegal activity. 8 14/03/2003

CyberCrime Act 15th December 2001 Unauthorised access, modification or impairment of data or electronic communications : now a Federal Offence 9

CyberCrime Act Accomplice provisions - conduct substantially contributing to the occurrence of the offence An offence will occur if there is unauthorised access through Telecommunications Service or unauthorised access to a Commonwealth computer. A commonwealth computer is any computer that is owned or controlled by the Commonwealth or hold commonwealth data. 10

Cybercrime Act Telecommunications services means a service for carrying communications by means of guided or unguided electromagnetic energy or both. Impairment of communications is meant to cover a denial of service attack. Issue: does it cover a distributed denial of service (DDOS) attack. DDOS occurs when a botnet is secretly placed upon an unsuspecting computing and then remotely activated to form part of a distributed attack upon a target computer.

Regulatory Obligations Corporate Culture Offences Company criminally liable for offences committed by employees, where the company has a corporate culture of non-compliance to Commonwealth Laws Strict liability for tolerating non-compliance Positive duty to create and maintain a culture of compliance with commonwealth laws. - Corporate Compliance Program Similar to Internal Audits and External Audits for Financial records 14/03/2003

Queensland Criminal Code Section 408D (1) A person who uses a restricted computer without the consent of the computer's controller commits an offence. Maximum penalty--2 years imprisonment. (2) If the person causes or intends to cause detriment or damage, or gains or intends to gain a benefit, the person commits a crime and is liable to imprisonment for 5 years. 13 14/03/2003

Queensland Criminal Code Section 408D (3) If the person causes a detriment or damage or obtains a benefit for any person to the value of more than $5 000, or intends to commit an indictable offence, the person commits a crime and is liable to imprisonment for 10 years. 14 14/03/2003

Queensland Criminal Code Section 408D "damage" includes-- (a) damage to any computer hardware or software; and (b) for information--any alteration, addition, removal or loss of, or other damage to, information. 15 14/03/2003

Queensland Criminal Code Section 408D "restricted computer" means a computer for which-- (a) a device, code or a particular sequence of electronic impulses is necessary in order to gain access to or to use the computer; and (b) the controller-- (i) withholds or takes steps to withhold access to the device, or knowledge of the code or of the sequence or of the way of producing the code or the sequence, from other persons; or (ii) restricts access or takes steps to restrict access to the device or knowledge of the code or of the sequence, or to the way of producing the sequence, to a person or a class of person authorised by the controller.. 16 14/03/2003

Information Assets Information is valuable, but knowledge is neither real nor personal property. A man with a richly stored mind is not for that reason a man of property. Authorities which relate to property in compositions, belong to the law of copyright and have no bearing upon the question whether knowledge or information, as such is property. Per Latham CJ. : FCT v. United Aircraft Corp.

Information Assets Either all knowledge is property, so that the teaching of, for example, mathematics involves the transfer of property, or only some knowledge is property. If only some knowledge is property then it must be possible to state a criterion which will distinguish between that knowledge which is property and that knowledge which is not property. Latham CJ FCT v. United Aircraft Corp.

Information Assets So is it possible to identify the elements that support the position that some information can be property. Latham CJ. Rejected the element of secrecy. Points about this case 1943 case The case is a pre-information revolution/computer case The dependence on information had not developed

Information Assets Pont Data Case: The Federal Court recognised the value of information and specifically noted that commerce was now absolutely dependent upon information and the integrity of that information. NOTE THE EMPHASIS ON THE INTEGRITY OF THE INFORMATION See also Hepples v. FTC Smith Klein and French v. Federal Department of Community Services and Health Different position in other jurisdictions such as: Hong Kong : Koo case USA : Carpenter v. US

Management Responsibility At Common law Management has a fiduciary responsibility to act in the best interests in the Company. Traditionally this has primarily concerned protecting the corporation s property. BUT THINGS HAVE CHANGED Property is no longer the issue; the issue now concerns ASSETS of the corporation This is a much wider term ASSETS. And will include information.

Security Breach Guidelines Guidelines only apply where personal information is the subject of the breach; No civil liability applies; Substantially follows the Canadian approach which is partially based upon the Californian enactment of 2003. Based on Shame Factor In California notices to Secretary of Commerce for California are made public via a web site.

Conclusion Law is still developing in this arena; Privacy could be a substantial issue in raising awareness for security culture; Data Breach disclosure could be the answer but too early to tell.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback