Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2019-2021
The Parliament of the
Commonwealth of Australia
THE SENATE
Presented and read a first time
Ransomware Payments Bill 2021
No. , 2021
(Senator Keneally)
A Bill for an Act to require the reporting of
ransomware payments to the Australian Cyber
Security Centre, and for related purposes
No. , 2021
Ransomware Payments Bill 2021
i
Contents
Part 1--Preliminary
1
1
Short title ........................................................................................... 1
2
Commencement ................................................................................ 2
3
Definitions ......................................................................................... 2
4
Meaning of
attacker, ransomware attack
and
ransomware
payment
............................................................................................. 4
5
Persons and connection with Australia .............................................. 4
6
Binding the Crown ............................................................................ 5
7
Saving of certain State and Territory laws ........................................ 5
Part 2--Notification of ransomware payments
6
8
Notification of ransomware payments ............................................... 6
9
Australian Cyber Security Centre may use information
contained in notifications .................................................................. 7
Part 3--Miscellaneous
9
10
Civil Penalty Provisions .................................................................... 9
11
Treatment of partnerships.................................................................. 9
12
Delegation ....................................................................................... 10
No. , 2021
Ransomware Payments Bill 2021
1
A Bill for an Act to require the reporting of
1
ransomware payments to the Australian Cyber
2
Security Centre, and for related purposes
3
The Parliament of Australia enacts:
4
Part 1--Preliminary
5
6
1 Short title
7
This Act is the
Ransomware Payments Act 2021
.
8
Part 1
Preliminary
Section 2
2
Ransomware Payments Bill 2021
No. , 2021
2 Commencement
1
(1) Each provision of this Act specified in column 1 of the table
2
commences, or is taken to have commenced, in accordance with
3
column 2 of the table. Any other statement in column 2 has effect
4
according to its terms.
5
6
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. The whole of
this Act
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 6 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
Note:
This table relates only to the provisions of this Act as originally
7
enacted. It will not be amended to deal with any later amendments of
8
this Act.
9
(2) Any information in column 3 of the table is not part of this Act.
10
Information may be inserted in this column, or information in it
11
may be edited, in any published version of this Act.
12
3 Definitions
13
In this Act:
14
access to data held in a computer
has the same meaning as in
15
Part 10.7 of the
Criminal Code
.
16
attacker
: see section 4.
17
ASD
means the Australian Signals Directorate.
18
Australian Cyber Security Centre
means the part of the Australian
19
Signals Directorate known as the Australian Cyber Security
20
Centre.
21
Preliminary
Part 1
Section 3
No. , 2021
Ransomware Payments Bill 2021
3
civil penalty provision
has the same meaning as in the Regulatory
1
Powers Act.
2
Commonwealth entity
has the same meaning as in the
Criminal
3
Code
.
4
data
has the same meaning as in the
Criminal Code
.
5
data held in a computer
has the same meaning as in the
Criminal
6
Code
.
7
de-identified
has the same meaning as in the
Privacy Act 1988
.
8
electronic communication
has the same meaning as in Part 10.7 of
9
the
Criminal Code
.
10
Federal Circuit Court
means the Federal Circuit Court of
11
Australia.
12
Federal Court
means the Federal Court of Australia.
13
impairment of electronic communication to or from a computer
14
has the same meaning as in Part 10.7 of the
Criminal Code
.
15
indicator of compromise
: see subsection 8(3).
16
modification
, in respect of data held in a computer, has the same
17
meaning as in Part 10.7 of the
Criminal Code
.
18
personal information
has the same meaning as in the
Privacy Act
19
1988
.
20
ransomware attack
: see section 4.
21
ransomware payment
: see section 4.
22
Regulatory Powers Act
means the
Regulatory Powers (Standard
23
Provisions) Act 2014
.
24
unauthorised access, modification or impairment
has the same
25
meaning as in Part 10.7 of the
Criminal Code
.
26
Part 1
Preliminary
Section 4
4
Ransomware Payments Bill 2021
No. , 2021
4 Meaning of
attacker, ransomware attack
and
ransomware payment
1
A person (the
attacker
) engages in a
ransomware attack
if:
2
(a) the person causes, whether directly or indirectly, any of the
3
following by the execution of a function of a computer:
4
(i) access to data held in a computer;
5
(ii) modification of data held in a computer;
6
(iii) the impairment of electronic communication to or from
7
a computer;
8
(iv) the impairment of the reliability, security or operation of
9
any data held on a computer disk or other device used to
10
store data by electronic means; and
11
(b) the person knows the access, modification or impairment is
12
unauthorised; and
13
(c) in the case of an unauthorised modification or impairment--
14
the modification or impairment:
15
(i) restricts access by an authorised person to data held in a
16
computer; or
17
(ii) will, or gives an unauthorised person the ability to,
18
modify, damage or destroy data held in a computer or
19
on a computer disk or other device used to store data by
20
electronic means; and
21
(d) the attacker demands a payment (whether of money or other
22
consideration) (a
ransomware payment
) to:
23
(i) end the unauthorised access, modification or
24
impairment; or
25
(ii) prevent publication of any of the data; or
26
(iii) end the restriction on access to the data; or
27
(iv) prevent damage or destruction of the data; or
28
(v) otherwise remediate the impact of the unauthorised
29
access, modification or impairment.
30
5 Persons and connection with Australia
31
This Act applies to a ransomware payment made by:
32
(a) a Commonwealth entity; or
33
(b) a State or Territory or an agency of a State or Territory; or
34
Preliminary
Part 1
Section 6
No. , 2021
Ransomware Payments Bill 2021
5
(c) any other person if:
1
(i) the person carries on a business (within the meaning of
2
the
Income Tax Assessment Act 1997
) in the income
3
year in which the payment is made; and
4
(ii) the person is not a small business entity (within the
5
meaning of that Act) for the year; and
6
(iii) the ransomware payment relates to a ransomware attack
7
against data, a computer, computer disk or other device
8
located in Australia or used by the person in Australia.
9
Note:
For the application of this Act to partnerships, see section 11.
10
6 Binding the Crown
11
This Act binds the Crown in each of its capacities.
12
7 Saving of certain State and Territory laws
13
It is the intention of the Parliament that this Act is not to affect the
14
operation of a law of a State or of a Territory that:
15
(a) makes provision with respect to the collection, holding, use,
16
correction or disclosure of information relating to
17
ransomware attacks; and
18
(b) is capable of operating concurrently with this Act.
19
Part 2
Notification of ransomware payments
Section 8
6
Ransomware Payments Bill 2021
No. , 2021
Part 2--Notification of ransomware payments
1
2
8 Notification of ransomware payments
3
(1) An entity that makes a ransomware payment must, as soon as
4
practicable, give written notice of the payment to the Australian
5
Cyber Security Centre in accordance with subsection (2).
6
Civil penalty:
1,000 penalty units.
7
(2) The notice must set out:
8
(a) the name and contact details of the entity; and
9
(b) the identity of the attacker, or what information the entity
10
knows about the identity of the attacker (including
11
information about the purported identity of the attacker); and
12
(c) a description of the ransomware attack, including:
13
(i) the cryptocurrency wallet etc. to which the attacker
14
demanded the ransomware payment be made; and
15
(ii) the amount of the ransomware payment; and
16
(iii) any indicators of compromise known to the entity.
17
(3) An
indicator of compromise
is technical evidence left by the
18
attacker that indicates the attacker's identity or methods.
19
Privilege against self-incrimination
20
(4) An individual is not excused from giving a notice under
21
subsection (1) on the ground that giving the notice might tend to
22
incriminate the individual in relation to an offence.
23
Note:
A body corporate is not entitled to claim the privilege against
24
self-incrimination.
25
(5) However:
26
(a) the notice given; and
27
(b) the giving of the notice; and
28
(c) any information, document or thing obtained as a direct
29
consequence of the giving of the notice;
30
Notification of ransomware payments
Part 2
Section 9
No. , 2021
Ransomware Payments Bill 2021
7
are not admissible in evidence against the individual in criminal
1
proceedings other than proceedings for an offence against
2
section 137.1 or 137.2 of the
Criminal Code
that relates to this Act.
3
9 Australian Cyber Security Centre may use information contained
4
in notifications
5
(1) This section applies if a person notifies the Australian Cyber
6
Security Centre of a ransomware payment under section 8.
7
(2) The Australian Cyber Security Centre may disclose any of the
8
information contained in the notification to any person (including
9
the public) for the purpose of informing the person about the
10
current cyber threat environment.
11
Example: Publication to members of the ACSC Partnership Program through the
12
Centre's threat-sharing platform.
13
(3) However, the Australian Cyber Security Centre must not disclose
14
personal information under subsection (2) unless the information is
15
first de-identified.
16
(4) The Australian Cyber Security Centre may disclose any of the
17
information contained in the notification to:
18
(a) a Commonwealth entity; or
19
(b) a State or Territory, or an agency of a State or Territory;
20
for purposes relating to law enforcement.
21
(5) A person commits an offence if:
22
(a) information is disclosed to the person under subsection (4);
23
and
24
(b) the person discloses any of the information.
25
Penalty: 500 penalty units.
26
(6) Subsection (5) does not apply if:
27
(a) the information the person discloses is not personal
28
information; or
29
(b) the entity that gave the original notification to the Australian
30
Cyber Security Centre consents to the disclosure of the
31
information; or
32
Part 2
Notification of ransomware payments
Section 9
8
Ransomware Payments Bill 2021
No. , 2021
(c) the Director-General of ASD authorises the disclosure of the
1
information; or
2
(d) the disclosure is to a court; or
3
(e) the disclosure is otherwise required or authorised by law.
4
Note:
A defendant bears an evidential burden in relation to the matter in
5
subsection (6): see subsection 13.3(3) of the
Criminal Code
.
6
Miscellaneous
Part 3
Section 10
No. , 2021
Ransomware Payments Bill 2021
9
Part 3--Miscellaneous
1
2
10 Civil Penalty Provisions
3
Enforceable
civil penalty provisions
4
(1) Each civil penalty provision of this Act is enforceable under Part 4
5
of the Regulatory Powers Act.
6
Note:
Part 4 of the Regulatory Powers Act allows a civil penalty provision to
7
be enforced by obtaining an order for a person to pay a pecuniary
8
penalty for the contravention of the provision.
9
Authorised applicant
10
(2) For the purposes of Part 4 of the Regulatory Powers Act, the
11
Director-General of ASD is an authorised applicant in relation to
12
the civil penalty provisions of this Act.
13
(3) An authorised applicant may, in writing, delegate the authorised
14
applicant's powers and functions under Part 4 of the Regulatory
15
Powers Act in relation to the civil penalty provisions of this Act to
16
an SES employee, or acting SES employee, in the Australian Cyber
17
Security Centre.
18
Relevant court
19
(4) For the purposes of Part 4 of the Regulatory Powers Act, each of
20
the following courts is a relevant court in relation to the civil
21
penalty provisions of this Act:
22
(a) the Federal Court;
23
(b) the Federal Circuit Court.
24
11 Treatment of partnerships
25
(1) This Act (other than section 9) applies to a partnership as if it were
26
a person, but with the changes set out in this section.
27
Part 3
Miscellaneous
Section 12
10
Ransomware Payments Bill 2021
No. , 2021
(2) An obligation that would otherwise be imposed on the partnership
1
by this Act is imposed on each partner instead, but may be
2
discharged by any of the partners.
3
(3) A contravention of a civil penalty provision of this Act that would
4
otherwise be committed by the partnership is taken to have been
5
committed by each partner.
6
(4) A partner does not contravene a civil penalty provision because of
7
subsection (3) if the partner:
8
(a) does not know of the circumstances that constitute the
9
contravention of the provision concerned; or
10
(b) knows of those circumstances but takes all reasonable steps
11
to correct the contravention as soon as possible after the
12
partner becomes aware of those circumstances.
13
12 Delegation
14
The Director-General of ASD may, in writing, delegate all or any
15
of his or her functions or powers under this Act to an SES
16
employee, or acting SES employee, in the Australian Cyber
17
Security Centre.
18
Note:
Sections 34AA to 34A of the
Acts Interpretation Act 1901
contain
19
provisions relating to delegations.
20