September 17, 2021

Volume XI, Number 260

Advertisement

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

Would Mandatory Reporting of Ransomware Payments Cause More Good or Trouble?

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

As we all know, there have been a series of high profile ransomware attacks in the past few months (see ransomware attack on UnitingCare QueenslandJBS MeatpackingNew York’s subway and American Colonial Pipeline). These attacks are giving governments around the world ammunition for greater control and influence over organisation’s security and management of technology related threats (for example, see the blog we wrote about the CSET tool recently introduced by the US Department of Home Affairs).

The ACSC’s position is that organisations should not pay ransoms; despite this, many organisations chose to (or perhaps feel they are forced to) pay the ransom. The Bill is set to introduce a ransomware payment notification scheme that will require organisations to disclose key details of the attacks made on them (such as what cryptocurrency wallet the attacker has requested payment into). 

The explanatory memorandum of the Bill has suggested that the Bill will provide an “important foundation for a comprehensive national ransomware strategy, which is needed to deal with the onslaught of ransomware attacks on Australian organisations.” The motivation of the regime is centred around the idea of data gathering so that the government can better understand patterns in cybercrime and develop strategies to defend against it.

It is a crime in Australia to pay a ransom and forcing organisations to report when they chose to do so will force them to self-incriminate (likely making the regime unpopular with businesses).

The government is currently weighing up the merits of introducing a mandatory reporting requirement and it will be interesting to see what conclusion it comes to. We have seen a number of ransoms paid recently and sometimes businesses see this is the best option for their businesses.

Jacqueline Patishman also contributed to this article.

Copyright 2021 K & L GatesNational Law Review, Volume XI, Number 196
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm
Partner

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

+61.3.9640.4261
Warwick Andersen Technology Lawyer KL Gates
Attorney

Mr. Andersen is a senior corporate lawyer with a focus on commercial, technology and sourcing projects. He has advised on large scale outsourcing projects, technology agreements for both vendors and customers, corporate support, privacy and telecommunications regulatory work. He has acted for government departments, large listed companies, telecommunications companies and technology suppliers.

+61-2-9513-2508
Advertisement
Advertisement
Advertisement