Labor Introduces Bill to Improve Transparency on Ransomware Payments

On 21 June 2021, Labor introduced the Ransomware Payments Bill 2021 (Cth) (Bill) into federal Parliament in response to a recent onslaught of ransomware attacks. If passed, the Bill would establish a mandatory reporting requirement for certain types of entities that make a ransomware payment in response to a ransomware attack.

As the world reels from reports this week of the biggest global ransomware attack on record, we lift the hood on the proposed mandatory reporting scheme and provide a macro snapshot of Australia’s recurring ransomware nightmare. We also take a quick look at the question of whether it is legal to pay a ransom.

Decoding the proposed mandatory reporting scheme

In this section we provide quick answers to some frequently asked questions about the mandatory reporting scheme that the Bill proposes to introduce.

What is the proposed mandatory notification requirement?

An entity that makes a ransomware payment would be required to give written notice of the payment to the Australian Cyber Security Centre (ACSC) (clause 8(1) of the Bill).

What entities would the requirement apply to?

The requirement would apply to the following entities:

  • Commonwealth entities;
  • state or territory agencies;
  • corporations; and
  • partnerships.

(Clause 5 of the Bill.)

Are there any proposed exclusions?

All small businesses, sole traders and unincorporated entities and charities would be excluded from the requirement (clause 5(c) of the Bill).

When would the notification need to be made?

As soon as practicable (clause 8(1) of the Bill). There is no guidance about what the phrase “as soon as practicable” means.

What would need to be included in the notification?

In summary, the notification would be required to contain:

  • the name and contact details of the entity;
  • the identity of the attacker, or known information about the identity of the attacker; and
  • a description of the ransomware attack, including, for example, the cryptocurrency wallet to which the attacker demanded the ransomware payment be made.

(Clause 8(2) of the Bill.)

What is a ransomware attack?

The definition of ransomware attack contained in the Bill is technical, but in summary it means: “when an unauthorised person accesses, modifies, or impairs data and demands payment to repair or undo damage or prevent the publication or exfiltration of data” (clause 4 of the Bill and page 4 of the Explanatory Memorandum to the Bill (Explanatory Memorandum)).

What is the proposed penalty for not giving the notification?

1,000 penalty units, which is currently $222,000 (clause 8(1) of the Bill).

What would happen to the information contained in the notification?

The ACSC would be permitted to disclose any of the information contained in the notification to any person (including the public) for the purpose of informing the person about the current cyber threat environment (clause 9(2) of the Bill).

Australia’s cybersecurity and ransomware nightmare

The ACSC has estimated that cybersecurity incidents cost Australian businesses approximately $29 billion annually.

A recent survey by cybersecurity firm Crowdstrike found that the average ransomware payment by Australian companies is $1.25 million. Additional costs for businesses may include, for example, lost executive and management time and long-term brand damage.

The following extracts from the Explanatory Memorandum provide a further glimpse into the magnitude of the ransomware nightmare facing Australian businesses and the broader economy:

“[Ransomware] is the “highest cyber threat” facing Australian businesses according to the ACSC” – at page 4

“Ransomware is a jobs and investment destroyer when the Australian economy can least afford it. Analysts suggest that the cost to the Australian economy of ransomware attacks in 2019 alone was in the order of $1 billion.” – at page 4

The Explanatory Memorandum also highlights several recent examples of ransomware attacks – namely, the attack on each of JBS Foods, Colonial Pipeline and Nine Entertainment.

The surge in ransomware attacks has also been causing ructions in the insurance sector. For example:

  • Two of Australia’s biggest insurance companies have called for the government to introduce changes to make it unlawful for insurance companies to reimburse companies for ransomware payments. Their argument is that making reimbursements creates a perverse incentive for cyber criminals.
  • The surge has led to concerns about a “rapid rise” in cyber insurance premiums and the general availability of coverage.

Is it legal to pay a ransom in response to a ransomware attack?

One angle that is sometimes overlooked when it comes to ransomware attacks, is the question of whether it is legal to pay a ransom.

If paid, a ransom might result, for example, in the commission of:

  • An instrument of crime offence under Division 400 of the Criminal Code Act 1995 (Cth) (Criminal Code Act).
  • A terrorism funding offence under Division 103 of the Criminal Code Act.

The ACSC advises organisations to never pay a ransom.

Practical Law resources

For a free guide to Practical Law’s materials on the topic of:

Practical Law subscribers can access more information on the topic of ransomware and other types of cyber-attacks in the following practice notes on Practical Law Australia:

  • Practice note, Ransomware.
  • Practice note, Hacking and network intrusions.
  • Practice note, Malware and end user attacks.

Louise joined Practical Law from Legal and Regulatory Services at NSW Health. Louise is experienced in all aspects of commercial agreement work and has significant experience of competition law in the context of third line forcing and cartels and the consumer provisions, particularly in the context of the provision of medical and health services. She also has broad commercial law experience having advised across commercial legal areas including major projects, goods and service contracts, data protection and privacy, intellectual property, and charities. Louise previously worked at Ebsworth & Ebsworth as a medical negligence lawyer before joining Cutler Hughes & Harris in its commercial law division and then Blake Dawson Waldron (now Ashurst) as a lawyer in the firm’s Corporate Advisory Group.

Andrew joined Practical Law after more than seven years in practice at leading law firm King & Wood Mallesons and specialist corporate firm Watson Mangioni. Andrew’s practice included advising clients on a range of corporate transactions and commercial matters including mergers and acquisitions, restructures, commercial contracts, capital raising and corporate governance.

Subscribe to Business Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.