On 21 June 2021, Shadow Assistant Minister for Cyber Security, Tim Watts introduced the private members Ransomware Payments Bill 2021 (Cth) (‘The Bill’) into Parliament. The Bill would require the Commonwealth Government and big businesses to report ransomware payments to the Australian Cyber Security Centre (ACSC).
The Bill was introduced in response to the 200% increase in reported ransomware attacks on Australian organisations - including prominent incidents affecting companies such as JBS Foods and Nine Entertainment.
Who does the Bill apply to?
The Bill is intended to apply to Commonwealth, State and Territory agencies, as well as large corporations and partnerships. It does not apply to:
- small businesses with an aggregate turnover of less than $10 million;
- sole traders; and
- unincorporated entities.
The Bill applies to any ransomware attack which affects data, computers or other devices located or used within Australia - regardless of where the entity making the payment is based.
If the Bill becomes law, what would need to be reported?
If the Bill becomes law, it will become mandatory for some ransomware payments made to criminal organisations to be reported on.
A ransomware payment is defined as the payment of money or other considerations to end the unauthorised access, modification, impairment, or restriction of access to data. It can also be considered as payment to prevent the publication, damage, or destructions of the data.
The written notice to the ACSC would be required to set out:
- the name and contact details of the entity;
- the identity of the attacker, or what information the entity knows about the identity of the attacker; and
- a description of the ransomware attack, including:
- the cryptocurrency wallet to which the payment was made;
- the amount of the ransomware payment; and
- any indicators of compromise known to the entity.
An entity would have to notify the ACSC as soon as practicable after it makes a ransomware payment. The phrase ‘as soon as practicable’ is not defined in the Bill, however, entities should prepare to notify the ACSC once payment has been made in order for ACSC or law enforcement to effectively identify the attacker and trace the ransomware funds.
The Bill proposes the introduction of penalties for entities that do not comply with reporting, with fines of up to $222,000.
Protecting reported information
The Bill enables the ACSC to disclose any information contained within the notification to anyone (including the public and law enforcement agencies), for the purpose of informing recipients in respect of current cyber threats. Although the Bill would protect the personal information of individuals, there is no similar protection provided to companies, causing a lack of explicit protection of company data.
Protection from criminal and civil proceedings
The Bill provides that any information obtained as a direct consequence of giving the notice will be inadmissible in evidence against individuals in criminal proceedings, other than if the notice is false or misleading.
Although the Bill only refers to individuals, the Explanatory Memorandum refers to the provision as intended to cover entities as well. However, the protection does not extend to civil proceedings. With this in mind, the notice could be used as evidence for regulatory or other enforcement action, as well as in class actions.
The Bill needs to be considered by Parliament. It may or may not be accepted in its current form, or at all - but the intention is clear: if we arm the ASCS with information relating to attacks, they will have the ability to work on effective mitigation strategies, and subsequently provide better assistance to the community, in order for Australian organisations to protect themselves against such attacks.
If your organisation is unsure of how best to protect against cyber-attacks, or for advice on how to deal with an already active cyber-attack, please don’t hesitate to get in touch with Technology Law/Business, Corporate and Commercial Partner Tal Williams today.