Ransomware attacks can be crippling for an Australian business. In this article, we discuss considerations if your business is asked to pay a ransom demand to recover its encrypted data or prevent confidential data or personal information from being published online.
What do businesses need to consider when asked to pay a ransom demand?
Businesses may need to consider making a ransom payment in order to unlock data, if that data has been encrypted or you can't recover from back-up copies of your data. Alternatively, you might be paying the ransom in order to reduce the risk of serious harm to any of the individuals who might be named in that data, if that data were to get out and be published on the internet.
Is it legal to pay a ransom?
It's not actually illegal to pay a ransom in Australia. That is, at the time of writing there's no specific law banning anyone from paying one in all circumstances. However, there are a couple of laws that you may want to consider. There are provisions in Commonwealth and state laws that make it an offence to pay money in a situation that might be similar to a ransom demand. These include where an individual is reckless or negligent about whether the ransom payment might be used to further another crime or be involved in proceeds of crime.
Additionally, it may be an offence if you were make a payment to a prohibited organisation, or a sanctioned organisation, such as one that's either by name, by type, or by country on a blacklist maintained by Australia or the United Nations, for example.
What should a business check before considering a ransom payment?
So, in light of the above circumstances, if your business is thinking about making a ransom payment, it may be worthwhile to check on the individual or organisation that's demanding that payment and evaluate whether you can actually make a payment to them.
Again, if they're on a blacklist or the payment would be made in those prohibited circumstances, it might be better to cease making a payment. In general terms, in accordance with the guidance from the Australian Government and most regulatory agencies, it is recommended not to make a payment.
In saying this, we also haven’t identified any circumstance where an individual has been prosecuted for making a payment in order to overcome a ransom demand, in the case of a cyber security incident. There is also a legal defence of duress that might be available, depending on the circumstances. But this is very context-specific, and it is recommended to get legal advice before you decide to make a ransom payment in those circumstances.
HopgoodGanim’s Intellectual Property, Technology and Cyber Security team provide market-leading advice for new and existing businesses on all aspects of cyber security, including cyber preparedness and data breach incident response. The team handles cyber, privacy and data protection claims, helping clients mitigate and manage complex scenarios, and advise proactively on technology, liability and privacy risks.