Federal Register of Legislation - Australian Government

Primary content

A Bill for an Act to require the reporting of ransomware payments to the Australian Cyber Security Centre, and for related purposes
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Registered 13 Aug 2021
Introduced Senate 12 Aug 2021







































(Circulated by authority of Senator Keneally)







Ransomware is malicious software used to deny access to an organisation’s IT systems and/or to threaten the release of private data unless a ransom is paid. It is the ‘highest cyber threat’ facing Australian businesses according to the Australian Cyber Security Centre (ACSC).


The last 12 months have seen attacks on JBS Foods, paralysing a company that employs 11,000 Australians across 47 sites; on Nine Entertainment which disrupted the network’s ability to broadcast; and on the Colonial pipeline in the United States leading to widespread fuel shortages in that country.


This is a stand-alone Bill to establish a mandatory reporting requirement for Commonwealth entities, State or Territory agencies, corporations, and partnerships who make ransomware payments in response to a ransomware attack.


The Bill will require entities who make a ransomware payment to notify the ACSC of key details of the attack, the attacker, and the payment. This information will be held by the ACSC and used to:

  • share de-identified information to the private sector through the ACSC threat-sharing platform;
  • collect and share information that may be used by law enforcement; and
  • collect and share information to inform policy making and to track the effectiveness of policy responses.


Ransomware is a jobs and investment destroyer when the Australian economy can least afford it. Analysts suggest that the cost to the Australian economy of ransomware attacks in 2019 alone was in the order of $1 billion.


This Bill provides an important foundation for a comprehensive national ransomware strategy, which is needed to deal with the onslaught of ransomware attacks on Australian organisations.





Part 1 – Preliminary

Clause 1: Short Title

1.           Clause 1 is a formal provision specifying the short title of the Bill.

Clause 2: Commencement

2.           This clause provides for the whole of the Act to commence on a single day to be fixed by Proclamation. Clause 2 also provides that if the provisions do not commence within the period of six months beginning on the day the Act receives Royal Assent, they commence on the day after the end of that period.

Clause 3: Definitions

3.           This clause defines certain terms used in the Bill.

Clause 4: Meaning of attacker, ransomware attack and ransomware payment

4.                  This clause defines a ransomware attack as when an unauthorised person knowingly accesses modifies or impairs data, or impairs electronic communication to or from a computer and demands payment to do certain things including to undo damage or prevent the publication or exfiltration of data. The definition of “unauthorised access, modification, or impairment” is as per section 476.2 of the Criminal Code Act 1995 (Cth).

Clause 5: Persons and connection with Australia

5.         This clause applies the reporting requirement to all Commonwealth entities (corporate and non-corporate), all State and Territory agencies, and private sector businesses excluding small businesses, sole traders and unincorporating entities and charities. The purpose of excluding small businesses is to limit compliance costs and to ensure that ACSC has access to high-quality actionable intelligence from the mandatory disclosures. “Small business entities” with an aggregate turnover of less than $10 million will be excluded from the scheme. This is the same meaning as in the Income Tax Assessment Act 1997 (Cth).

Clause 6: Binding the Crown

6.         This clause binds the Crown in each of its capacities.

Clause 7: Saving of certain State and Territory Laws

7.         This clause provides that this Bill does not affect the operation of a law of a state or territory that makes provision with respect to the collection, holding, use, correction or disclosure of information relating to ransomware attacks and that is capable of operating concurrently with this Bill.

Part 2 – Notification of ransomware payments

8.         The purpose of this Part is to create a mandatory notification scheme for reporting ransomware payments, administered by the ACSC.

Clause 8: Notification of ransomware payments

9.         This clause establishes the mandatory notification requirement and sets out the information that must be provided by an entity to the ACSC. If an entity makes a ransomware payment, they must provide ACSC with their details, the details of the attacker and information about the attack to that extent that it is known. Information about the attack includes cryptocurrency wallet details, the amount of the payment, and indicators of compromise. Failure to notify the ACSC attracts a penalty.

Clause 9: Australian Cyber Security Centre may use information contained in notifications

10.       This clause establishes the purposes for which the ACSC may use this information, which includes disclosing de-identified information for the purpose of informing the public and private sectors about the current threat environment and disclosing information to Commonwealth, State, or Territory agencies for the purpose of law enforcement.

11.       Clause 9 also protects entities who make disclosures by making it an offence to disclose personal information except for use by law enforcement.


Part 3 – Miscellaneous

12.       The purpose of this Part is to give effect to the penalty provision for non-compliance established in Clause 9.

Clause 10: Civil Penalty Provisions

13.       This clause provides for the civil penalty provisions in the Bill to be enforceable under Part 4 of the Regulatory Powers (Standard Provisions) Act 2014.

Clause 11: Treatment of partnerships

14.       This clause provides for the Bill (excluding clause 9) to apply to a partnership as if it were a person, except for that an obligation that would otherwise be imposed on the partnership by the Bill is imposed on each partner and may be discharged by any of the partners, and contravention of a civil penalty provision in the Bill that would otherwise be committed by the partnership is taken to have been committed by each partner.

Clause 12: Delegation

15.       This clause provides the Director-General of ASD with the power to delegate his or her functions under the Bill to a Senior Executive Service (SES) employee, or acting SES employee, in the ACSC.


Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Ransomware Payments Bill 2021

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.


Overview of the Bill

The purpose of this Bill is to strengthen Australia’s cybersecurity by creating a more accurate picture of the ransomware threat and costs.

It does this by introducing a mandatory notification scheme for affected entities (with an aggregate turnover of more than $10 million) intending on making a ransomware payment.

It also provides the ACSC with actionable threat intelligence to bolster Australia’s cyber preparedness and response capability.


Human rights implications

The Bill engages the right to privacy and reputation by requiring entities who choose to make a ransomware payment to notify the ACSC and provide details of the ransomware attack and payment.

The cost of ransomware to the Australian economy in 2019 was estimated to be over $1 billion. Industry and cyber-security experts support the introduction of a mandatory reporting scheme which will assist private entities and the public sector to better understand and respond to this threat.

The extent to which the Bill limits this right is mitigated by the requirement that ACSC de-identify this information and through the inclusion of penalties for misuse of the collected information.



The Bill is compatible with human rights because to the extent it may limit the right to privacy and reputation, those limitations are reasonable, necessary, and proportionate.


Senator the Hon. Kristina Keneally