Undefined "Lawful Authority" Creates Business Liability

The provision criminalizes accessing subscriber information, traffic data, or critical infrastructure "without lawful authority" but fails to define what constitutes lawful authority for routine business operations. Businesses conducting security testing, system administration, employee access management, or third-party audits face criminal liability (2-5 years imprisonment, up to 25,000 penalty units) unless they can demonstrate authorization—yet the provision provides no guidance on what documentation or processes establish "lawful authority." This creates substantial compliance costs as businesses must implement comprehensive access control systems and authorization documentation to avoid criminal exposure, while the provision's treatment of attempts and successful access identically means even unsuccessful employee or contractor access triggers liability.