On 21 June 2021, Shadow Assistant Minister for Cyber Security, Tim Watts, introduced in Federal Parliament the Ransomware Payments Bill 2021 (the Bill). This follows the Department of Home Affairs secretary, Mike Pezzullo, flagging the idea at a Senate Committee Hearing earlier this year in May suggesting bipartisan support.
If passed, the Bill would require public and private entities (other than small businesses) to report any ransomware payments to the Australian Cyber Security Centre (ACSC). It would also enable the ACSC to disclose any of the information contained in the notification to any person (including the public) for the purpose of informing the recipients about the current cyber threat environment and also to law enforcement agencies.
The Bill is but one of many efforts in Australia – and around the world – aimed at addressing the rapidly increasing and evolving threat of ransomware, with similar schemes being contemplated in other Five Eye nations such as the US1 and the UK.2
The Bill moved to a second reading on the same day as being introduced. The Government, which as noted above has reportedly been considering a similar scheme, is unlikely to oppose the Bill. No proposed amendments have been circulated to date. It remains to be seen if this will receive expedited passage. There also is no indication that industry has or will be consulted, reminiscent of the approach to the adoption of the encryption and online harm legislation two years ago.
In this briefing, we provide an overview of the changes contemplated by the Bill and some of the potential issues that may arise.
What does the Bill propose?
|To whom does it apply?
Corporations and partnerships as well as Commonwealth entities, State or Territory agencies.
Exemption for small businesses with an aggregate turnover of less than $10 million, charities, sole traders and unincorporated entities.
|What needs to be reported?
Ransomware payments. This is defined as the payment of money or other consideration (which would include cryptocurrencies) to:
- end the unauthorised access, modification, impairment or restriction of access to data;
- prevent the publication, damage or destruction of the data; or
- otherwise remediate the impact of the unauthorised access, modification or impairment.
|What information needs to be included?
Name and details of the entity making the payment.
As much information as is known about the attacker’s identity or purported identity.
A description of the ransomware attack (including the cryptocurrency wallet details), amount of payment and any technical evidence left by the attacker that indicates its identity or methods.
|When to report?
||As soon as practicable. The Bill does not expressly require that entities report before any payment is made.
|What are the consequences of failure to notify?
1,000 penalty units (currently $222,000). There is no ‘fault’ based element or exceptions that excuse non-compliance with notification.
What potential issues might arise under the Bill?
The Bill raises a number of issues or questions that will need to be considered by all stakeholders, including:
Effectiveness and proportionality
The Bill’s objectives are set out at high level in the Explanatory Memorandum:
- Reporting and sharing information about ransomware payments could, arguably, facilitate cooperation against cyber threats, help regulators trace back the money (as illustrated recently by the FBI recovering almost half of the US$5m in cryptocurrency ransom paid by Colonial Pipeline, although the extent of recovery was impacted by the volatility in Bitcoin from the date of payment to the date of recovery).
- The collection of information will inform policy making and help track the effectiveness of policy responses. It could also serve as a deterrent for entities considering payments, although neither the Bill nor the Explanatory Memorandum provides evidence to support this.
These potential benefits will need to be weighed against the risk of unintended side effects, including those described below.
Protecting reported information
The ability of the ACSC to disclose any of the information to law enforcement agencies and to any person (including the public) raises a number of issues:
There is limited explicit protection of a company’s data. In particular, while personal information of individuals will be de-identified, there is no such protection in relation to a company, such that it should be expected that its identity may well be disclosed.
Information collected by the ACSC may expose entities to reputational risks associated with payments of cyber-ransoms, and may signal to threat actors ‘the extent to which and how much Australian businesses are willing to pay’ following a ransomware attack.
Other proposals for mandatory reporting regimes, such as that proposed by the US-based Ransomware Task Force, call for entities to be able to report anonymously.
Protection from criminal and civil proceedings
The Bill proposes that information obtained by, or as a direct consequence of, the notice will not be admissible in evidence against ‘individuals’ in criminal proceedings (for example, actions for payments to sanctioned entities), other than if the notice is false or misleading. While the provision as drafted only refers to individual, it seems that the intention is to cover entities as referred to in the Explanatory Memorandum. However, the safe harbor does not extended to civil proceedings. Therefore, it is possible that the report could form the basis for regulatory or other enforcement action, as well as class actions.
Lack of clarity in notification requirements
Some elements of the reporting obligation leave scope for potential ambiguity, including the content of the notification, such as what is ‘technical evidence left by the attacker’ and the meaning of ‘as soon as practicable’.
Overlaps with other reporting requirements
Consideration should also be had to how this reporting requirement may interact or overlap with other requirements to report cyber security incidents, including those contemplated under the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (see our briefing here).
Described in the Explanatory Memorandum as an ‘important foundation for a comprehensive national ransomware strategy’, the adoption of the Bill is unlikely to be the end of the road.
Early engagement with the Bill (including in respect of the issues outlined above) and the broader Australian Government cyber security strategy will help entities appropriately plan for their eventual implementation.