Source: Allens Insights
The rationale for mandatory reporting is the Government’s limited visibility over threats to the private sector and the current underreporting of ransomware payments.
A ransomware reporting regime has previously been supported by both major parties so we expect this reporting regime will receive bipartisan support.
Two key elements of the Government’s proposal are:
- reporting obligations will be triggered on payment of a ransom, rather than on awareness of an extortion attempt, or commencement of negotiations with threat actors; and
- the reporting obligations extend to cyber theft extortion (holding data hostage), not just ransomware (locking functionality).
Restrictions on use of ransomware payment reports
Importantly, the Cyber Bill makes clear that ransomware payment reports may only be used or disclosed by the designated federal body or a secondary entity (if such reports are disclosed by the designated federal body), in limited circumstances. Relevantly, the designated federal body must not use or disclose the relevant information it obtains for the purposes of investigating or enforcing any contravention by the reporting business entity of a federal, state or territory law (other than a law that imposes a penalty for a criminal offence).
To the extent that payment of a ransom is an offence under a criminal sanctions, terrorism financing or other financial crime law, federal or state bodies will be permitted to record, use or disclose the information.
Admissibility in proceedings
The Cyber Bill clarifies that information in ransomware payment reports is inadmissible in a broad range of proceedings—including for certain criminal proceedings, civil proceedings for contraventions of civil penalties and proceedings for breaches of any federal, state or territory laws (including the common law). Whilst this provision does not amount to safe harbour from all criminal liability, it does provide broad comfort that information (which is not subject to LPP) may not be admitted in legal proceedings.
Importantly, because this protection is specifically expressed to attach to information provided by the reporting entity, careful consideration will need to be given in circumstances where a group of companies has suffered an incident.
Claims of legal professional privilege
The Cyber Bill also expressly states that information provided in a ransomware payment report does not affect a claim of LPP that anyone may make in relation to information in any proceedings. The express LPP carveout is important as statutory provisions that abrogate legal professional privilege must do so expressly and unambiguously.2 However, the position as to whether and when provision of information the subject of LPP to government agencies constitutes a waiver of LPP is far from settled.3 Further, the protections in respect of LPP are not as broad or far reaching as those in respect of the admissibility of evidence (see below). Accordingly, careful consideration will need to be given prior to the disclosure of any material to which LPP may apply.