Ransomware attacks have become more frequent and serious in recent years in line with a steep increase in the overall rate of cybercrime globally.
Targets range from small unlisted companies to large organisations and government agencies, often with sophisticated cyber defences and policies. The past two years have been particularly challenging for organisations due to the rise in remote working and the continued uptick in general and supply chain ransomware attacks.
The Australian Government has announced a number of proposed responses to ransomware attacks, including legislation to mandate the reporting of ransomware payments. There has also been increasing commentary on directors duties with respect to cyberattacks. The Australian Government (along with the US) has expressed great concern about the growing cost to the economy of ransomware attacks and has flagged a strong indication of increased regulation in this space in future.
This article explores the key issues including:
- is it legal under Australian law to pay a ransom;
- the reporting obligations under current Australian law;
- directors duties with respect to ransomware attacks;
- potential regulatory risks and class actions;
- new proposed legislation affecting ransomware payments and reporting; and
- pertinent insurance considerations.
Given the increased risk of ransomware attacks and the strong likelihood of imminent changes to the law in this area, we recommend all organisations keep a close eye on legal developments and, if subject to a ransomware attack, seek urgent legal advice before responding, as the potential legal and reputational risks associated with paying a ransom are significant.
Is it legal in Australia to pay a ransom?
Under Australian law, it is generally not illegal for an organisation to pay a ransom. However, it’s complicated and requires careful decision making.
There are specific offences under the Commonwealth Criminal Code and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) which make it an offence for payments to be made either for money laundering purposes, or to a ‘terrorist organisation’ or an organisation proscribed by UN sanctions or Australia’s autonomous sanctions.
The criminal offence of money laundering necessarily involves the payment of money in circumstances where the payer has actual knowledge that there is a risk that the money will be used as an instrument of crime, or if the person is reckless or negligent to this risk.
Similarly, for the offence of making payments to a terrorist organisation, the offence occurs if the payer is ‘knowing or reckless’ to the fact that the organisation was proscribed as a ‘terrorist organisation’.
An organisation that is considering whether to pay a ransom also needs to carefully consider what it knows about the perpetrator. This can often be discovered via forensic investigations. Questions to ask include:
- is the perpetrator part of a known criminal outfit or terrorist group? An up-to-date list of ‘terrorist organisations’ is maintained on the Australian National Security website;
- is it a State actor? and
- is the perpetrator an organisation listed as either a terrorist organisation, or on the UN or Australian sanctions lists? The breach of some sanction lists are strict liability offences so businesses will be held liable even if the breach was not intentional, reckless or negligent.
The answers to these questions will determine whether or not it is legal to pay.
If the perpetrator is unknown, or there is no indication that the perpetrator is a declared terrorist organisation, or part of a criminal body intending further crimes, then payment to the organisation is unlikely to be ‘knowing or reckless’ so as to constitute an offence.
Reporting obligations under current Australian law
At present, there are no general mandatory reporting obligations applicable to ransomware attacks under Australian law.
In New South Wales, it is an offence to conceal a serious indictable offence where an organisation is in possession of information that will materially assist in apprehending, prosecuting or convicting an offender. Where the identity of a perpetrator is unknown, it is unlikely that a failure to report the attack would in itself make out this offence. However, you should obtain legal advice on your specific circumstances.
Depending on the nature of the organisation, the industry in which it operates, and the particular impact of the ransomware attack, further specific legal reporting obligations may arise, including:
- if the attack involves an unauthorised disclosure of ‘personal information’ then the organisation may be required by the Privacy Act1988 (Cth) (Privacy Act) to report the incident to the Office of the Australian Information Commissioner (OAIC) as soon as reasonably practicable;
- if the organisation is a regulated financial services entity (such as a bank or superannuation fund) then it may be required under relevant prudential standards such as CPS234 to notify the incident to the Australian Prudential Regulatory Authority (APRA) within 24 hours of becoming aware of the incident;
- the organisation may be required to report a ransom payment to the Australian Transaction Reports and Analysis Centre as a ‘suspicious transaction’ under the Anti-Money Laundering and Counter-Terrorism Financing Act2006 (Cth); and
- the Security of Critical Infrastructure Act2018 (SOCI Act) applies to entities in the electricity, gas, water and ports sectors in Australia, although it is currently being amended by the Commonwealth Government to greatly expand its operation to other sectors deemed to involve the operation of ‘critical infrastructure’. If the organisation operates “critical infrastructure” within the meaning of the SOCI Act then there may be mandatory reporting obligations to report cyber security incidents to the Australian Signals Directorate. Proposed amendments to the SOCI Act would also give the Minister for Home Affairs the power to intervene and potentially direct the organisation on how to respond to a ransomware attack (including whether or not to pay the ransom).
An impacted organisation should also consider whether any notifications are required under any applicable contracts of insurance, or triggered under third party contracts (either under specific data breach notification requirements or other clauses such as confidentiality clauses).
Director duties with respect to ransomware attacks
Company directors and officers have a duty to exercise their powers and discharge their duties with care and diligence. This duty is uncontroversial and is a cornerstone of the directors duties set out in the Corporations Act 2001 (Cth) (Corporations Act). Over the past 20 years, section 180(1) of the Corporations Act has been tested with respect to various circumstances occurring in the course of company management. It is now possible that the duty will apply to ransomware attacks, how boards prepare and protect themselves, and how they respond.
Ransomware risk is by now (or should be) well known to directors and boards and it will become increasingly difficult to argue that the duty of care and diligence does not require directors and boards to consider, at minimum, the foreseeable risk of harm that would be caused by a ransomware attack. They also need to take steps to protect and respond to the reasonable standard set in the Corporations Act.
When determining whether the duty to act with care and diligence has been breached, a court will balance the foreseeable risk of harm to the company against the potential benefits of having addressed the risk. As with more ‘traditional’ risks, directors that have conducted such a balancing exercise for themselves, and who act based upon a rational and informed assessment of the company’s best interests, may have the protection of the ‘business judgment’ rule.
We are yet to see any significant Australian cases or regulatory prosecutions relating to breaches of directors duties based on ransomware attacks or preparedness.
Directors should be aware that the losses caused by a ransomware attack go beyond the ransom paid. Following an attack there can be substantial business interruption expenses and in the case of public companies an immediate sell down in securities and reduction in market value.
For example, in November 2020 Isentia, a media intelligence and data company listed on the ASX, experienced a cyber-attack that affected its operations. Isentia spent around up to $8.5 million on remediation and provide discounts or credits to affected customers, significantly reducing revenues. Isentia’s share price was significantly reduced and Isentia shareholders eventually voted in favour of a takeover offer.
Potential regulatory risk and class actions
As the risk of cyber-attacks increases, it is highly likely that the OAIC and other government regulators will increase their regulatory action.
The OAIC has the power to seek civil penalties from organisations that have breached the Privacy Act as well as make public determinations that organisations breached privacy laws. The OAIC has already publically called for “a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action”, including stronger powers to give civil penalties.
Under the Privacy Act, affected persons may be able to seek compensation. However, compensation is generally not awarded unless an affected individual supplies evidence of loss or damage.
Recently the OAIC identified that Uber had been approached by unknown persons who had accessed and downloaded personal information, including names, email addresses and mobile phone numbers of users of the Uber app.
After being notified of this breach, Uber paid US$100,000 under a ‘bug bounty’ program. In the view of the OAIC, rather than identifying the vulnerability and disclosing the breach responsibly, Uber’s “immediate response was to pay the attackers – who had intentionally acquired personal information and exploited a vulnerability to extort funds – under a bug bounty program”. The OAIC determined that Uber failed to comply with the Australian Privacy Principles.
No compensation was awarded for affected persons because under the Privacy Act the Commissioner is not authorised to award compensation simply because an organisation has breached the Act. Given the increasing trend towards increased regulatory action, this may change.
The Australian Securities and Investments Commission (ASIC) has already commenced an action alleging that a financial services licensee breached its obligations by failing to take steps to manage cybersecurity risk, which allegedly let to a cyber attacker accessing client information.
There is a global trend of more aggressive enforcement by regulators against businesses that have experienced cyber breaches. In the United States, the Federal Trade Commission (FTC) is taking action against businesses that allegedly failed to implement appropriate data protection measures for consumers’ personal information.
For example, in FTC v Wyndham Worldwide Corp it was alleged that inadequate cybersecurity practices had exposed consumer data to unauthorised access and theft. The FTC sought compensation for affected consumers that would redress the injury resulting from Wyndham’s failure to protect personal information. Similarly, the FTC brought an action against Equifax after it was hacked and the personal information of 147 million people was compromised. As part of a settlement with the FTC, Equifax agreed to pay at least $575 million, and potentially up to $700 million, to assist the people affected by the data breach.
Ransomware class actions have already commenced overseas. An action has commenced against Canon USA Inc after a ransomware attack affected employee information. In the United States, Equifax also settled a class action with 147 million class members that required Equifax pay reimbursement for losses caused by the breach and at least US $1 billion on data security over five years.
The class action regime in Australian would facilitate such actions and these should be expected. The Privacy Act also includes a representative complaint regime, which could feasibly be utilised in a ransomware claim scenario.
Proposed legislation affecting ransomware payments
The Ransomware Payments Bill 2021 (Cth) currently before the parliament will introduce mandatory reporting obligations for ransomware payments.
If passed, any entity that makes a ransomware payment will be required at law to give written notice of the payment to the Australian Cyber Security Centre (ACSC) as soon as practicable. A civil penalty of 1,000 units (currently $222,000) will apply to a failure to report.
The Bill proposes that where a notification is made, ACSC can then disclose information (other than personal information) in the notification to:
- any person including the public (in de-identified form) for the purpose of informing about the cyber threat environment; and
- Commonwealth, state or territory agencies for purposes relating to law enforcement.
The Bill was first introduced to the House of Representatives on 21 June 2021 and remains before the lower house at time of writing.
Under proposed amendments to the SOCI Act, the Minister of Home Affairs will have greater oversight of cyber incidents affecting critical infrastructure and a power to issue a direction that the responsible entity for critical infrastructure do, or refrain from doing, a specified act or thing in dealing with an incident. Such a direction could prohibit the payment of a ransom.
Recent years have seen the emergence of the cyber insurance market, as traditional Directors and Officers (D&O) insurance failed to adequately respond to cyber and data risks. Namely, D&O policies provide for defence costs but not cyber remediation costs and do not account for the preventative steps often required in ransomware scenarios.
The Australian cyber market is continuing to grow as boards are increasingly focused on cyber risk management. The market has grown both in respect of higher limits being purchased, and also in the total number of cyber policies placed.
However, the effect of the continued growth in attacks (and therefore claims) is reflected in the market steadily hardening – we have seen increased premiums for risks (15-20% average annual premium increases), capping of policy limits, and insurers requiring more underwriting information before a policy is written.
Whether or not ransomware payments are covered under a cyber insurance policy will depend on the exclusions and scope of the insurance purchased. This should be a further key consideration for an organisation considering its position in response a ransomware attack, and whether or not to pay any ransom.
The legal issues associated with ransomware attacks need to be navigated carefully, particularly as the law changes and is developed in this area in response to the ever growing risk of ransomware attacks.