Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Part 1—Preliminary

Part 1 Preliminary

   

1   Short title

                   This Act is the Ransomware Payments Act 2021 .

2   Commencement

             (1)  Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

 

Commencement information

Column 1

Column 2

Column 3

Provisions

Commencement

Date/Details

1.  The whole of this Act

A single day to be fixed by Proclamation.

However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.

 

Note:          This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

             (2)  Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3   Definitions

                   In this Act:

access to data held in a computer has the same meaning as in Part 10.7 of the Criminal Code .

attacker : see section 4.

Australian Cyber Security Centre means the part of the Australian Signals Directorate known as the Australian Cyber Security Centre.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

Commonwealth entity has the same meaning as in the Criminal Code .

data has the same meaning as in the Criminal Code .

data held in a computer has the same meaning as in the Criminal Code .

de-identified has the same meaning as in the Privacy Act 1988 .

electronic communication has the same meaning as in Part 10.7 of the Criminal Code .

Federal Circuit Court means the Federal Circuit Court of Australia.

Federal Court means the Federal Court of Australia.

impairment of electronic communication to or from a computer has the same meaning as in Part 10.7 of the Criminal Code .

indicator of compromise : see subsection 8(3).

modification , in respect of data held in a computer, has the same meaning as in Part 10.7 of the Criminal Code .

personal information has the same meaning as in the Privacy Act 1988 .

ransomware attack : see section 4.

ransomware payment : see section 4.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014 .

unauthorised access, modification or impairment has the same meaning as in Part 10.7 of the Criminal Code .

4   Meaning of attacker , ransomware attack and ransomware payment

                   A person (the attacker ) engages in a ransomware attack if:

                     (a)  the person causes, whether directly or indirectly, any of the following by the execution of a function of a computer:

                              (i)  access to data held in a computer;

                             (ii)  modification of data held in a computer;

                            (iii)  the impairment of electronic communication to or from a computer;

                            (iv)  the impairment of the reliability, security or operation of any data held on a computer disk or other device used to store data by electronic means; and

                     (b)  the person knows the access, modification or impairment is unauthorised; and

                     (c)  in the case of an unauthorised modification or impairment—the modification or impairment:

                              (i)  restricts access by an authorised person to data held in a computer; or

                             (ii)  will, or gives an unauthorised person the ability to, modify, damage or destroy data held in a computer or on a computer disk or other device used to store data by electronic means; and

                     (d)  the attacker demands a payment (whether of money or other consideration) (a ransomware payment ) to:

                              (i)  end the unauthorised access, modification or impairment; or

                             (ii)  prevent publication of any of the data; or

                            (iii)  end the restriction on access to the data; or

                            (iv)  prevent damage or destruction of the data; or

                             (v)  otherwise remediate the impact of the unauthorised access, modification or impairment.

5  Persons and connection with Australia

                   This Act applies to ransomware payment made by:

                     (a)  a Commonwealth entity; or

                     (b)  a State or Territory or an agency of a State or Territory; or

                     (c)  any other person if:

                              (i)  the person carries on a business (within the meaning of the Income Tax Assessment Act 1997 ) in the income year in which the payment is made; and

                             (ii)  the person is not a small business entity (within the meaning of that Act) for the year; and

                            (iii)  the ransomware payment relates to a ransomware attack against data, a computer, computer disk or other device located in Australia or used by the person in Australia .

Note:          For the application of this Act to partnerships, see section 11.

6   Binding the Crown

                   This Act binds the Crown in each of its capacities.

7   Saving of certain State and Territory laws

                   It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that:

                     (a)  makes provision with respect to the collection, holding, use, correction or disclosure of information relating to ransomware attacks; and

                     (b)  is capable of operating concurrently with this Act.