Will you pay up? Ransomware payment reporting framework proposed for Australia

In the last year, the number and size of ransomware attacks on Australian businesses have grown substantially with increasingly more businesses being threatened with their data being released unless they pay a ransom.

The ABC has reported recently that one third of Australian businesses hit by a ransomware attack over a 12 month period had paid the ransom and the Parliamentary Joint Committee on Intelligence and Security heard in June 2021 that, over the previous 12 months, there had been a 60% increase in ransomware attacks against Australian businesses.

To combat this, on 21 June 2021, the Ransomware Payments Bill (the Bill) was introduced into the House of Representatives by a Labor MP, Tim Watts. An identical bill, Ransomware Payments Bill 2021 (No 2), sponsored by Senator Kristina Keneally, was introduced into the Senate on 12 August 2021.

The Bill makes it mandatory for various businesses to report to the Australian Cyber Security Centre (ACSC) if they make ransomware payments in response to a ransomware attack. We look at the key features of the proposed reporting framework below.

What is a ransomware attack?

For an attack to be a “ransomware attack” for the purposes of the Bill, the following conditions must be met:

  1. The attacker must cause any of the following:
    • Access to, or modification of, data held in a computer;
    • Impairment of:
      • electronic communication to/from a computer; or
      • the reliability, security or operation of any data held on a computer or a device.
  2. The attacker knows that the access, modification or impairment is unauthorised.
  3. Where there is unauthorised modification or impairment, the modification or impairment:
    • restricts access to the data held in a computer by an authorised person; or
    • enables the unauthorised person the ability to modify, damage or destroy data held in a computer or other device used to store data electronically.
  4. The attacker demands payment (money or consideration) to:
    • end the unauthorised access, modification or impairment;
    • prevent the publication of the data;
    • end the restricted access to the data;
    • prevent the damage or destruction of the data; or
    • remediate the impact of the unauthorised access, modification or impairment.

What ransomware payments must be reported?

The framework applies to ransomware payments which are made by any of the following:

  • a Commonwealth entity (both corporates and non-corporates);
  • a State or Territory (or State or Territory agency); or
  • entities carrying on business in Australia in the income year in which the payment is made, provided that:
    • the entities are not “small businesses” (being companies, partnerships, trusts and sole traders with an annual turnover of less than $10 million per year); and
    • the ransomware payment is related to a ransomware attack against data or a computer network located in Australia.

This means that international businesses paying ransoms overseas will likely be required to report ransom payments if the payment concerns data or computer networks in Australia.

What must be reported to the ACSC?

If a ransomware payment is made, it will be mandatory for the entity to provide written notice of the following to the ACSC “as soon as practicable” (which has not been defined in the Bill):

  • the entity’s name and contact details;
  • the identity of the attacker (or what is known about the attacker);
  • a description of the ransomware attack, including the cryptocurrency wallet used by the attacker, the payment amount and any technical evidence left by the attacker, which indicates their identity or methods.

Individuals will not be excused from providing a notice on the grounds that giving the notice might incriminate them in relation to an offence; nor are companies able to claim privilege against self-incrimination.

What will the ACSC do with the notice?

The ACSC may disclose the information contained in the notice to Commonwealth, State or Territory agencies for law enforcement purposes. Information may also be disclosed by the ACSC to the private sector and the public to inform them about the current cyber threat environment: however, no personal information will be disclosed.

What are the penalties for non-compliance?

The proposed civil penalty for non-compliance is 1,000 penalty units, which is currently $222,000.

Next Steps

The Bills are currently before the House of Representatives and Senate. We do not know, at this stage, whether the Bills will be supported broadly across the political spectrum. In any event, we will be monitoring closely the progress of the Bills and any amendments that are made to the reporting framework.

Should you have any questions regarding the framework or ransomware attacks more broadly, please contact out Privacy team.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.