Police get more time to prosecute hacking offences in NSW

Police will have an extra two years to launch legal action against alleged hackers in NSW under legislative changes that account for the “protracted” nature of cybercrime investigations.

The amendment, aimed at improving the investigation of computer offences, is one of several contained in an omnibus Crimes Legislation Amendment Bill that cleared parliament last week.

The bill increases the “time limit for commencing proceedings for the offence of unauthorised access to, or modification of, restricted data held in a computer... to three years”.

Unauthorised access to restricted data, which also extends to employees who access databases for an unauthorised purpose, carries a maximum penalty of two years in prison under the Crimes Act.

Until now, police have been required to commence proceedings no later than 12 months from the date on which the offence was alleged to have been committed.

But the time limit has constrained police because “cybercrime investigations can be protracted”, according to Parliamentary Secretary to the Attorney-General Melanie Gibbons.

“The investigations often involve requests for information from foreign jurisdictions, which is a time-intensive process,” she said introducing the bill to parliament on behalf Attorney-General Mark Speakman in October.

Gibbons said the nature of cybercrime means that it can also be some time before an offence is detected.

“For example, a hacking event resulting in the theft of personal information may not leave any record to an end user that the information has been stolen,” she said.

“The hack may only be detected when that information is discovered in an unauthorised environment or when a more detailed audit or review is later undertaken.

“That means a significant part of the current 12-month window... may lapse before a victim becomes aware that unauthorised access or modification of restricted data has occurred.”

Gibbons said that the amendment “will ensure this delay does not act as a barrier to investigation and prosecution”.

The bill also amends the definition of “searchable offence” under the Law Enforcement (Powers and Responsibilities) Act 2002 to include new additional computer offences.

It means search warrants can now be obtained for unauthorised access to restricted data held in a computer, and unauthorised impairment of data held in a computer disk, credit card or other device.

Both were previously summary offences, though were defined as “serious offences” under the Commonwealth Telecommunication (Interception and Access) Act 1979.

Gibbons said it was “incongruous” that telecommunications interception warrants, which may be considered more invasive from a privacy perspective, were available for use in investigations but traditional search warrants weren't.

“These amendments will support a more effective law enforcement response to victim reports of cybercrime and ensure legal action can be taken in appropriate circumstances,” she added.