Written by Patrick Gunning.
For about the last 5 years, most Australian companies have identified a cyber attack as one of the company's top 5 risks.
Ransomware, in particular, has disrupted a number of high profile Australian businesses in recent times. This kind of software encrypts data held on an infected computer. To restore the infected computer to its previous function, it is necessary to either rebuild it from scratch and rely on backup data that has not been infected, or to obtain a decryption key from the hacker. Typically, the hacker will demand payment in the form of virtual currency such as Bitcoin. It is also common for the hacker to claim to have made a copy of some of the organisation's data, and to make an express or implied threat to publish that data unless payment is received.
Most organisations are loathe to pay a ransom of this kind. As a matter of principle, many are sympathetic to the view of British Prime Minister Margaret Thatcher who said: "Give in to the terrorist and you breed more terrorism."
No doubt this sentiment explains why it is very rare for anyone to admit to paying a ransom.
That said, a November 2017 study of cyber insurance available in the EU and Middle East revealed that 9 out of 10 policies covered the cost of ransom payment as part of their "cyber extortion" coverage, and the tenth insurer offered it via an endorsement (i.e. in return for an additional premium). The fact that so many insurers offer coverage for ransom payments suggests there is a market demand. A decision of the High Court of England and Wales in December 2019 reveals that at least one insurer paid a ransom of almost US$1 million by Bitcoin, and then commenced legal proceedings in an effort to trace the recipient of the Bitcoins. Citrix reported that in 2016 one third of British companies surveyed had stockpiled Bitcoin in anticipation of making a ransom payment.
Obviously, the primary strategy to address the risk of ransomware is to have up-to-date back-up data held on servers with their own security measures (to minimise the risk that they will also be infected by the ransomware).
One question we are being asked more frequently is "what if plan A fails, or will require an unacceptably long period of time to implement – are there legal issues we should be concerned about before deciding to pay a ransom?"
They key issue that any Australian organisation should seek legal advice on before deciding to make a payment to a hacker is whether doing so amounts to a criminal offence.
The most relevant offences, which could apply to all Australian organisations irrespective of the sector in which they operate, are the "instrument of crime" provisions in Division 400 of the Criminal Code Act 1995 (Cth). Under these provisions it is a serious criminal offence if:
- a person deals with money or property;
- where there is a risk that the money or property will become an "instrument of crime" – money or other property is an "instrument of crime" if it is used in the commission of, or used to facilitate the commission of, an indictable offence (Australian or foreign); and
- the person making the payment is reckless or negligent as to the fact that there is a risk that the money or property will become an instrument of crime.
Hackers demanding payment will have committed one or more criminal offences, and organised hackers who routinely engage in ransomware attacks might reasonably be expected to use some of the money received in ransom payments to purchase equipment or services with the intention of using them in future criminal conduct. The person making the payment will have no actual knowledge of what the ransom payments will be used for: it is entirely possible that the money could be used to support a lavish lifestyle for members of the gang through the purchase of vehicles, jewellery, luxury items or real property. But if an identified gang of hackers claims responsibility for the ransomware there is clearly "a risk" that any payment made to the gang will be used to facilitate the commission of future indictable offences.
As a policy matter it seems incongruous that a victim of crime could, in theory, commit a criminal offence by meeting the demands of the criminal.
One defence that may be available to the person paying the ransom is the defence of duress. Duress will be made out if a person reasonably believes that:
- a threat will be carried out unless an offence is committed;
- there is no reasonable way the threat can be rendered ineffective; and
- the conduct or payment must be a reasonable response to the threat.
Obviously, the availability of the defence will depend on the circumstances facing the organisation considering making a ransom payment. That said, it is possible to conceive of scenarios in which the defence would apply. For example, the hackers may threaten to release confidential data they claim to have copied from the organisation's systems, unless the ransom is paid. Payment of the ransom would be the relevant offence to which the defence of duress would apply. But it would also be necessary to establish that there is no reasonable way that the threat from the hackers can be rendered ineffective, and that making the payment is a reasonable response to the threat.
Companies operating in some sectors of the economy may be subject to sector-specific laws that should also be taken into account.
Other legal issues relating to ransomware attacks
If your financial and inventory management systems are adversely affected, there will be a period of time during which you may need to revert to manual processes. Expect to have to deal with disgruntled customers and suppliers, some of whom may allege breach of contract and/or switch to your competitors.
If your company is listed, you will also need to consider the impact of a cyber incident on investors and whether a disclosure to the market should be made. There is a compelling academic study to support the view that, in the majority of cyber incidents disclosed publicly in the US, the disclosure had no material impact on the price of listed securities. However, the authors acknowledged that outliers may exist. ASX-listed property valuation company Landmark White, now known as Acumentis, is a local example of a company whose share price suffered materially following disclosure of 2 data security breaches. This was because the company's customers (principally banks who were concerned that information about their retail customers may have been affected by the breaches) suspended instructions to the company pending the outcomes of a detailed forensic investigation, so there was a significant reduction in revenue and profit. An IT contractor engaged by the company has been charged with multiple cyber crime offences. The trial is still pending.
You may also have obligations to notify regulators and/or individuals whose data has been affected by the incident. The Office of the Australian Information Commissioner reports that approximately 60% of data breaches notified to them are classified by the reporting entities as having been caused by malicious or criminal attacks.
Planning for the risk of a serious ransomware attack
A ransomware attack is an example of a potentially serious operational risk to the business of a company. As part of a director's duty of care and diligence, directors need to assess and address the risk of damage to the company from such an attack, and take steps to ensure that management has an appropriate crisis management plan and business continuity measures in place to respond if the company experiences a ransomware attack. These plans should provide for the assembly of a multi-disciplinary team that is capable of promptly:
- containing the damage done by the attack and seeking to return to normal operations as soon as practicable;
- investigating the information security vulnerability that enabled the attack to occur;
- identifying whether any data has been exfiltrated and considering any legal obligations to report the incident to regulators, affected individuals or contract counterparties;
- hardening the information security measures to guard against a similar attack;
- considering whether to notify insurers; and
- responding to interest in the incident from customers, suppliers, the media and any regulators.
 ENISA, Commonality of risk assessment language in cyber insurance, Nov 2017.
 AA v Persons Unknown who demanded Bitcoin on 10 and 11 October 2019  EWHC 3556 (Comm). The identities of the insurer and the insured were kept confidential by the court. The insured was an insurance company from Canada, and the insurer was an English company, who paid a ransom valued at $US 950,000 from an English bank account.
 Section 10.2, Criminal Code Act 1995 (Cth).
 Lange & Burger, "Long term market implications of data breaches, not" (2017) 13 Journal of Information Security and Privacy 186. This study revealed a negative impact of 1.13% against the share price of a company's peers in the first 3 days following announcement of the data security incident, but by day 14 the share prices had outperformed those peers by 0.05%.