A number of high profile media and entertainment businesses have been the victims of ransomware attacks in recent years. In Australia, a Bill has been recently introduced to Federal Parliament that seeks to impose an obligation on organisations other than small businesses to notify the Australian Cyber Security Centre as soon as practicable if it makes a ransomware payment. A civil penalty will apply for failure to do so. The Bill has yet to be considered by the Senate but has passed the House of Representatives.
The Australian Cyber Security Centre has labelled ransomware the ‘highest cyber threat’ facing Australian businesses. A 2020 Crowdstrike Report has found that over two-thirds (67%) of Australian organisations have suffered a ransomware attack in the last 12 months. The global rate sits at only 57%. In 33% of those cases, the affected company paid the ransom, costing an average of AU$1.25 million for each breach. Payment of the ransom provides resources to the criminal organisations mounting these attacks and creates an incentive for them to carry out more attacks.
To combat this and to allow Australian signals intelligence and law enforcement agencies to collect actionable intelligence on where ransomware money is going so they can track and target the responsible criminal groups, the Federal Government has introduced the Ransomware Payments Bill 2021 (Cth) (the Bill). The Bill has passed the House of Representatives and is set to be reviewed by the Senate.
The Bill imposes a mandatory obligation on an entity that makes a ransomware payment to notify the Australian Cyber Security Centre as soon as practicable. While not reflected in the bill, Tim Watts, MP indicated in his second reading speech that notification should occur before the entities make the payment. A civil penalty of 1000 penalty units (currently $222,000) will apply for failure to notify. The notice must include the name and contact details of the entity, what the entity knows about the identity of the attacker, and a description of the attack including the cryptocurrency wallet to which the ransom was paid, the amount, and any indicators of compromise (technical evidence of the attackers identity or methods). The notice is not admissible in any criminal proceedings except for proceedings for giving false or misleading information.
The information contained in the notification (including the identity of the relevant organisation) will not be able to be published further, except for enforcement processes or unless it is de-identified and disclosed for the purpose of informing the person/the public about the current cyber threat environment.
The notification obligation will if the Bill is passed apply to all Australian organisations, including all Commonwealth entities (corporate and non-corporate), State and Territory agencies and specified private sector entities but excluding small businesses (being those entities with an aggregate turnover of less than $10million), sole traders, unincorporated entities and charities. It applies where the data, computer, computer desk, other device is in Australia or used by a person in Australia.
For the purpose of the Bill, Ransomware attacks are defined to include a wide variety of cyber-security situations in which the attacker demands a payment. The definition captures situations in which a person who knows that they do not have authority to do so accesses data, modifies data, impairs communications to or from a computer or impairs the reliability, security or operation of any data held on a disk or other device used to store data by electronic means, and demands payment to end or remediate the relevant situation or the impact of the unauthorised access, modification or impairment.
Regardless, the Australian Cyber Security Centre recommends that organisations do not pay the ransom during a ransomware attack as there is no guarantee that cybercriminals will decrypt files once the ransom is paid, there is a chance that files may not be recoverable (for example where files are permanently modified or deleted) and the link provided to the victim for payment and information may inadvertently install further malware onto the victim’s system or network.
Entities should also be aware of the other notification obligations applying in the event of a data breach, including (but not limited to):
- mandatory data breach notification obligations imposed by the Privacy Act 1988 (Cth);
- notification obligations under state and territory criminal laws relating to serious indictable offences, such as under the Crimes Act 1900 (NSW).
- notification obligations in respect of information security incidents and material security vulnerabilities under APRA Prudential Standard CPS 234; and
- notification obligations imposed by the proposed Security of Critical Infrastructure Act 2018 (Cth) Reforms.
In the event that you are affected by any kind of data breach, whether ransomware or otherwise, Bird & Bird can assist to advise on any notification or other legal obligations that apply.