Would Mandatory Reporting of Ransomware Payments Cause More Good or Trouble?
Thursday, July 15, 2021
Australia, Ransomware Payments Bill, Australian Cyber Security Centre reporting, ransomware attacks, Australia ransomware attack
Print Mail Download i

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

As we all know, there have been a series of high profile ransomware attacks in the past few months (see ransomware attack on UnitingCare QueenslandJBS MeatpackingNew York’s subway and American Colonial Pipeline). These attacks are giving governments around the world ammunition for greater control and influence over organisation’s security and management of technology related threats (for example, see the blog we wrote about the CSET tool recently introduced by the US Department of Home Affairs).

The ACSC’s position is that organisations should not pay ransoms; despite this, many organisations chose to (or perhaps feel they are forced to) pay the ransom. The Bill is set to introduce a ransomware payment notification scheme that will require organisations to disclose key details of the attacks made on them (such as what cryptocurrency wallet the attacker has requested payment into). 

The explanatory memorandum of the Bill has suggested that the Bill will provide an “important foundation for a comprehensive national ransomware strategy, which is needed to deal with the onslaught of ransomware attacks on Australian organisations.” The motivation of the regime is centred around the idea of data gathering so that the government can better understand patterns in cybercrime and develop strategies to defend against it.

It is a crime in Australia to pay a ransom and forcing organisations to report when they chose to do so will force them to self-incriminate (likely making the regime unpopular with businesses).

The government is currently weighing up the merits of introducing a mandatory reporting requirement and it will be interesting to see what conclusion it comes to. We have seen a number of ransoms paid recently and sometimes businesses see this is the best option for their businesses.

Jacqueline Patishman also contributed to this article.

Copyright 2024 K & L Gates

Current Legal Analysis

More from K&L Gates

Don't Bank on It: FDIC Board Withdraws Asset Manager Bank Control Proposals
by: Grant F. Butler , Yuki Sako
US Department of Labor Announces Final Rule Increasing Salary Thresholds for Overtime Exemptions
by: April Boyer , Erinn L. Rigney
FTC Ban on Non-Competes Could Be Challenging to Asset Managers
by: Edward Dartley , Robert H. McCarthy Jr
In an About-Face, Pennsylvania to Regulate Virtual Currency as Money
by: Jeremy M. McLaughlin , Joshua (Josh) Durham
Challenge Accepted: Federal Trade Commission Issues Final Rule Banning Noncompete Agreements for Most Workers
by: Lauren Norris Donahue , Erinn L. Rigney
April 2024 ESG Policy Update-Australia
by: Clive Cachia , Lisa Lautier
Three Things to Know About Cboe’s ETF Share Class Filing
by: Stacy L. Fuller , Christine Mikhael
Litigation Minute: The Lifecycle of Beauty Packaging
by: Katherine L. Staba
Europe: Research Cost Re-Bundling – Is the UK Going Back to the Future?
by: Andrew J. Massey , Philip J. Morgan
PFAS Regulation Continues to Take Center Stage: EPA Releases Final Drinking Water Standards
by: Brian S. Montag , Dawn M. Lamparello

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins