The landmark Cyber Security Act 2024 (Cth) has now become law (as of 29 November 2024), although some of the provisions of the Act will not come into operation until a later date,
The Act introduces standards for IoT devices (Part 2 – commencing 12 months after Royal Assent unless an earlier date is fixed by proclamation) and imposes a new obligation to report cyber ransom payments (devices (Part 3 – commencing six months after Royal Assent unless an earlier date is fixed by proclamation). The Act also provides for voluntary sharing of information with the Cyber Coordinator (Part 4) and establishes a Cyber Incident Review Board (Part 5).
This note focuses on the ransom payment obligation and some of the legal issues related to provision of information to Government.
Compulsory ransom payment reporting
The ransom payment reporting obligation is new to Australia and reflects a middle ground position – the Government chose not to outlaw ransom payments, but decided to gather intelligence about cyber ransoms.
The obligation is placed on all businesses with a turnover of over $3 million, aligning with the threshold in the Privacy Act 1988 (Cth). Captured organisations will have to report within 72 hours and should review their cyber incident procedures and protocols to make provision for ransom reporting.
That said, paying a cyber ransom is not straightforward from a legal perspective. Some organisations as a matter of policy may decide that they will not pay a cyber ransom. However, if failing to pay a cyber ransom would inflict significant harm on the organisation or its stakeholders (for example if customer or employee data was going to be released on the dark web), many organisations would want to at least have the option. From a corporate policy perspective, the decision to pay or not to pay should be worked out – provisionally at least – prior to a live cyber incident.
Moreover, there are other legal considerations that need to be factored into a payment or non-payment decision. Cyber actors may be sanctioned organisations, meaning that a payment could potentially be a breach of sanctions legislation, in Australia or another country. Organisation may need to make checks, as best they can, to exercise due diligence in relation to the identity of the payee as a potentially sanctioned group. Further, under the Commonwealth Criminal Code, a “duress” defence might be available for a sanctions offence, although this will very much depend on the particular circumstances and whether the organisation has other alternatives.
Similarly, other laws such as anti-money laundering (AML) and counter terrorism financing (CTF) could apply to a ransom payment.
Given these issues, it is just as well that the Cyber Security Act limits the use to which a ransom payment report can be put, including limits on admissibility of the information in the ransom payment report (section 32(1)). Unfortunately, the information in a ransom payment report can nevertheless be used for the investigation and enforcement of a law that imposes a penalty or sanction for a criminal offence. Moreover, it is worth noting that the privilege against self-incrimination does not apply to corporations.
So, while there have not been any prosecutions (so far) for ransom payments infringing sanctions, AML or CTF laws, the ransom reporting obligation will require Australian corporations to disclose to the Commonwealth Government ransom payments that could – depending on the circumstances and in particular the availability of the “duress” defence – give rise to criminal liability or at least facilitate the investigation and enforcement of a criminal contravention.
Moreover, criminal liability under Commonwealth criminal laws can extend to individuals as “accessories” – and a person who participates in a corporate decision to pay a ransom could well be found to be an accessory if the payment was a breach of a Commonwealth law.
The bottom line is that great care should be taken with any decision to pay a ransom, and this is underscored by the ransom reporting obligation.
Voluntary disclosures to Government and legal professional privilege (or client legal privilege)
One of the somewhat controversial issues that arose during the consultation process leading to the Cyber Security Act related to legal professional privilege (also referred to as client legal privilege). This allows confidential documents produced for the dominant purpose of legal advice or for use in litigation to be withheld from disclosure, whether in litigation or in relation to a search warrant or compulsory notice to produce. Legal privilege can be lost (or “waived”) if the document is disclosed in a way that is inconsistent with the confidentiality required for privilege to exist.
It is unlikely that legally privileged material will need to be disclosed in connection with a cyber ransom report, and some discussion of the issue of legal professional privilege in that context was a bit of a red herring.
However, the Act makes specific provision for voluntary disclosure of information to the Cyber Coordinator, and this was one of the key objectives of the Act – to encourage business the subject of a cyber incident to share information with Government, for the benefit of the wider community.
The Act does go some way to limit the use to which voluntarily provided information can be put, as well as limitations on admissibility.
During the consultation, the Law Council of Australia advocated for a legislative regime where any legally privileged material could be provided to Government on a limited and confidential basis, so that privileged could be maintained. While this was raised in evidence before the Parliamentary Joint Committee on Intelligence and Security, it did not result in any amendment to the legislation.
The Act does not make it clear that privilege is not lost by voluntary disclosure and given the extensive scope for on-disclosure and use by Government of information provided voluntarily, there is a real risk that privilege over any document provided voluntarily will be jeopardised. A loss of privilege would mean that the document would be potentially available to opponents in litigation, including regulators in enforcement proceeding and class action plaintiffs.
While we do not wish to discourage sharing of information concerning cyber incidents with Government, affected organisation need to be mindful that any applicable legal professional privilege may well be lost by reason of a voluntary disclosure.
However, it is worth noting that amendments were made to the Freedom of Information Act 1982 (Cth) to ensure that information provided to the Cyber Coordinator would not be subject to an FOI request. At the same time, while information provided to Government may be inadmissible against the providing business (see section 42 of the Act) the information can still potentially be obtained by third parties by subpoena – it is no answer to a subpoena that the subpoenaed documents are not admissible.
Overall, the voluntary disclosure and related provisions of the Cyber Security Act are a step forward, but time will tell as to whether the provisions of the Act have gone far enough to encourage voluntary disclosures.