Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2019-2021
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
SENATE
RANSOMWARE PAYMENTS BILL 2021
EXPLANATORY MEMORANDUM
(Circulated by authority of Senator Keneally)
RANSOMWARE PAYMENTS BILL 2021
OUTLINE
Ransomware is malicious software used to deny access to an organisation's IT systems
and/or to threaten the release of private data unless a ransom is paid. It is the 'highest cyber
threat' facing Australian businesses according to the Australian Cyber Security Centre
(ACSC).
The last 12 months have seen attacks on JBS Foods, paralysing a company that employs
11,000 Australians across 47 sites; on Nine Entertainment which disrupted the network's
ability to broadcast; and on the Colonial pipeline in the United States leading to widespread
fuel shortages in that country.
This is a stand-alone Bill to establish a mandatory reporting requirement for Commonwealth
entities, State or Territory agencies, corporations, and partnerships who make ransomware
payments in response to a ransomware attack.
The Bill will require entities who make a ransomware payment to notify the ACSC of key
details of the attack, the attacker, and the payment. This information will be held by the
ACSC and used to:
share de-identified information to the private sector through the ACSC threat-sharing
platform;
collect and share information that may be used by law enforcement; and
collect and share information to inform policy making and to track the effectiveness
of policy responses.
Ransomware is a jobs and investment destroyer when the Australian economy can least
afford it. Analysts suggest that the cost to the Australian economy of ransomware attacks in
2019 alone was in the order of $1 billion.
This Bill provides an important foundation for a comprehensive national ransomware
strategy, which is needed to deal with the onslaught of ransomware attacks on Australian
organisations.
NOTES ON CLAUSES
Part 1 - Preliminary
Clause 1: Short Title
1. Clause 1 is a formal provision specifying the short title of the Bill.
Clause 2: Commencement
2. This clause provides for the whole of the Act to commence on a single day to be
fixed by Proclamation. Clause 2 also provides that if the provisions do not commence within
the period of six months beginning on the day the Act receives Royal Assent, they commence
on the day after the end of that period.
Clause 3: Definitions
3. This clause defines certain terms used in the Bill.
Clause 4: Meaning of attacker, ransomware attack and ransomware payment
4. This clause defines a ransomware attack as when an unauthorised person knowingly
accesses modifies or impairs data, or impairs electronic communication to or from a
computer and demands payment to do certain things including to undo damage or prevent the
publication or exfiltration of data. The definition of "unauthorised access, modification, or
impairment" is as per section 476.2 of the Criminal Code Act 1995 (Cth).
Clause 5: Persons and connection with Australia
5. This clause applies the reporting requirement to all Commonwealth entities (corporate
and non-corporate), all State and Territory agencies, and private sector businesses excluding
small businesses, sole traders and unincorporating entities and charities. The purpose of
excluding small businesses is to limit compliance costs and to ensure that ACSC has access
to high-quality actionable intelligence from the mandatory disclosures. "Small business
entities" with an aggregate turnover of less than $10 million will be excluded from the
scheme. This is the same meaning as in the Income Tax Assessment Act 1997 (Cth).
Clause 6: Binding the Crown
6. This clause binds the Crown in each of its capacities.
Clause 7: Saving of certain State and Territory Laws
7. This clause provides that this Bill does not affect the operation of a law of a state or
territory that makes provision with respect to the collection, holding, use, correction or
disclosure of information relating to ransomware attacks and that is capable of operating
concurrently with this Bill.
Part 2 - Notification of ransomware payments
8. The purpose of this Part is to create a mandatory notification scheme for reporting
ransomware payments, administered by the ACSC.
Clause 8: Notification of ransomware payments
9. This clause establishes the mandatory notification requirement and sets out the
information that must be provided by an entity to the ACSC. If an entity makes a ransomware
payment, they must provide ACSC with their details, the details of the attacker and
information about the attack to that extent that it is known. Information about the attack
includes cryptocurrency wallet details, the amount of the payment, and indicators of
compromise. Failure to notify the ACSC attracts a penalty.
Clause 9: Australian Cyber Security Centre may use information contained in
notifications
10. This clause establishes the purposes for which the ACSC may use this information,
which includes disclosing de-identified information for the purpose of informing the public
and private sectors about the current threat environment and disclosing information to
Commonwealth, State, or Territory agencies for the purpose of law enforcement.
11. Clause 9 also protects entities who make disclosures by making it an offence to
disclose personal information except for use by law enforcement.
Part 3 - Miscellaneous
12. The purpose of this Part is to give effect to the penalty provision for non-compliance
established in Clause 9.
Clause 10: Civil Penalty Provisions
13. This clause provides for the civil penalty provisions in the Bill to be enforceable
under Part 4 of the Regulatory Powers (Standard Provisions) Act 2014.
Clause 11: Treatment of partnerships
14. This clause provides for the Bill (excluding clause 9) to apply to a partnership as if it
were a person, except for that an obligation that would otherwise be imposed on the
partnership by the Bill is imposed on each partner and may be discharged by any of the
partners, and contravention of a civil penalty provision in the Bill that would otherwise be
committed by the partnership is taken to have been committed by each partner.
Clause 12: Delegation
15. This clause provides the Director-General of ASD with the power to delegate his or
her functions under the Bill to a Senior Executive Service (SES) employee, or acting SES
employee, in the ACSC.
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Ransomware Payments Bill 2021
This Bill is compatible with the human rights and freedoms recognised or declared in the
international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Overview of the Bill
The purpose of this Bill is to strengthen Australia's cybersecurity by creating a more accurate
picture of the ransomware threat and costs.
It does this by introducing a mandatory notification scheme for affected entities (with an
aggregate turnover of more than $10 million) intending on making a ransomware payment.
It also provides the ACSC with actionable threat intelligence to bolster Australia's cyber
preparedness and response capability.
Human rights implications
The Bill engages the right to privacy and reputation by requiring entities who choose to make
a ransomware payment to notify the ACSC and provide details of the ransomware attack and
payment.
The cost of ransomware to the Australian economy in 2019 was estimated to be over $1
billion. Industry and cyber-security experts support the introduction of a mandatory reporting
scheme which will assist private entities and the public sector to better understand and
respond to this threat.
The extent to which the Bill limits this right is mitigated by the requirement that ACSC de-
identify this information and through the inclusion of penalties for misuse of the collected
information.
Conclusion
The Bill is compatible with human rights because to the extent it may limit the right to
privacy and reputation, those limitations are reasonable, necessary, and proportionate.
Senator the Hon. Kristina Keneally