The police have two additional years to take legal action against suspected hackers in NSW.
The change, aimed at improving computer crime investigation, is one of several to be featured on an omnibus Law amending law on crime legislation Parliament cleaned that up last week.
The draft law extends the “deadline for initiating proceedings for unauthorized access to or modification of protected data in a computer … to three years”.
Unauthorized access to restricted data, including employees who access databases for unauthorized purposes, is punishable by a maximum sentence of two years in prison under the Crimes Act.
So far, the police were obliged to initiate proceedings no later than 12 months after the date of the alleged act.
But the police have restricted the deadline because “investigations into cybercrime can be dragged out,” said the parliamentary general secretary to the attorney general Melanie Gibbons.
“Investigations often involve requests for information from foreign jurisdictions, which is a time-consuming process,” she said when she presented the bill to Parliament on behalf of Attorney General Mark Speakman in October.
Gibbons said that due to the nature of cybercrime, it can also take some time to detect a crime.
“For example, a hacking event that results in the theft of personal information may not leave a record of the information being stolen,” she said.
“The only way to discover the hack is if this information is discovered in an unauthorized environment or if a more detailed audit or review is carried out later.
“This means that a significant part of the current 12-month window … can pass before a victim realizes that unauthorized access or a change in restricted data has taken place.”
Gibbons said the change “will ensure this delay does not act as an obstacle to investigation and prosecution”.
The bill also changes the definition of “searchable crime” according to the Enforcement of Powers and Responsibilities Act 2002 to include new additional computer crimes.
This means that search warrants can now be obtained for unauthorized access to restricted data on a computer and the unauthorized corruption of data located on a computer floppy disk, credit card, or other device.
Both were previously summary offenses, but were referred to in the Commonwealth Telecommunication (Interception and Access) Act 1979.
Gibbons said it was “inappropriate” for telecommunications surveillance arrest warrants, which might be considered more invasive from a privacy perspective, to be available for investigation, but traditional search warrants were not.
“These changes will help law enforcement agencies respond more effectively to reports from victims of cybercrime and ensure that legal action can be taken in appropriate circumstances,” she added.