Goutham Balaji
1 August 2024
The Medibank and Optus data breaches in late 2022 remain fresh in many of our minds. If we did not know it before, we were now acutely aware of the risks posed by cybercriminals in our increasingly digitised lives. Related to the personal data breaches is the prevalence of ‘phishing’ – where scammers use emails or text messages to deceive individuals into disclosing their personal and/or banking details. Phishing is one of the most common cybercrimes and its commission leads to significant financial consequences – in 2022 alone, the reported losses to phishing scams increased by 469 per cent, to a figure of $24.6 million. Recognising the need to modernise our legislative framework, the Australian government is working on a number of cybersecurity reforms.
Currently, there is a patchwork of legislative regimes that work together to combat cybercrime. The Security of Critical Infrastructure Act 2018 (Cth) (‘SOCI Act’) covers cybersecurity obligations in relation to operators of systems in the nation’s most important sectors, including communications, data storage, health care and financial services. This Act works together with the Privacy Act 1988 (Cth) (‘Privacy Act’), which covers the broad obligations entities have towards protecting individuals’ data privacy. For businesses, including large corporations, working with multiple legislative frameworks makes the process of compliance with cybersecurity protocols a resource-intensive and difficult process. Various Acts may lead to the creation of duplicate, or sometimes conflicting, obligations. In fear of potential liability for non-compliance with the myriad of obligations, businesses may not be forthcoming about potential data breaches or cybersecurity weaknesses, thereby leaving government in the dark about the threats facing the economy. The law also remains out of touch with the reality that the vast majority of businesses, including small businesses, are now part of the digital economy and hold large repositories of data for efficient operation. In response to these concerns, the Australian government has released proposed reforms to the SOCI Act and Privacy Act that aim to simplify the data security obligations that organisations have, while increasing the coverage of those cybersecurity laws.
Although progress is being made with respect to data security, the legislative framework combating phishing remains underdeveloped. Phishing is not directly a crime across Australian jurisdictions. However, laws that can be indirectly applied to phishing scams do exist. At the federal level, the Crimes Code Act 1995 (Cth) (‘Crimes Code Act’) creates an offence where identification information is obtained through a carriage service for the purposes of committing, or facilitating the committing of, an offence. Specifically relating to financial scams, the Crimes Code Act makes it an offence for a person to dishonestly obtain personal financial information without the consent of the person to whom the information belongs. Similarly, at the state level in Victoria, the Crimes Act 1958 (Vic) makes it a crime for a person by any deception to dishonestly obtain any financial advantage. Separately, given that phishing messages usually take the form of spam, the Spam Act 2003 (Cth) prohibits the sending of unsolicited, spam electronic messages.
Although these provisions can be applied to phishing scams, there remain a few issues. Firstly, by grouping phishing together with other financial or identity crimes, the law seems to unintentionally downplay its severity. By designating it as a separate crime, its magnitude is appropriately recognised, and resources can be applied towards improving enforcement and prevention of phishing. The prosecution of phishing crimes is also difficult when perpetrators are both anonymous and located overseas. For phishing laws to therefore have a sufficient impact, Australia needs to with its international partners to aid in the enforcement of phishing cybercrimes – something the government has recognised and is working towards achieving. For financial scams, legislation should empower enforcement agencies to work more closely with the financial sector to prevent the flow of funds from innocuous citizens to cybercriminals.
As we increasingly rely on digital systems in our everyday lives, we must also remain vigilant against growing cybersecurity threats. The government is working steadily on a number of fronts to develop a cohesive approach to cybersecurity but time is of the essence, especially in relation to the imminent threat that phishing scams pose on a daily basis.
Purely Dicta 