Businesses are being warned to tread carefully if they choose to pay a “ransom” to retrieve encrypted data.
The head of the McCullough Robertson Lawyers technology, media and telecommunications group, Alex Hutchens, said recent developments had added extra risk in this area.
It has long been the case that counter terrorism funding laws made it illegal to pay money if the ransomware funds are likely to contribute to terrorism. “The challenge for business is always ‘should you pay the ransom?’. Government advice for a long time has been to not pay it,” Mr Hutchens said.
Despite that, recent legislative developments appear to acknowledge that ransom demands are common and frequently paid.
The Cybersecurity Act 2024 (Cth), introduced in late 2024, has introduced a requirement as of June 2025 for an organisation with an annual turnover of $3m or more (aligned with the small business threshold under the Privacy Act 1988 (Cth)) to notify the Federal Government within 72 hours if it pays a cyber data encryption ransom.
Ransomware attacks involve cyber criminals debilitating an organisation’s data through encryption software.
The company is given the option to pay a ransom and retrieve the data immediately or go through a lengthy and costly process to remove the ransomware.
“It’s a difficult issue to navigate, because the business model of the hackers is to operate ‘professionally’ and release the data as soon as they are paid,” Mr Hutchens said. “They get no money if people believe they won’t return the data. There is therefore a degree of ‘trust’ built into this (illegal) business model.
“Often businesses see this (paying the ransom) as the cost effective and efficient way to retrieve the data. But there are risks.”
Mr Hutchens said cyber crime was now such a big “industry” that the war against it would never be won.
As a result, organisations would need to be ever vigilant against possible attacks.
“If you are faced with a ransom demand or cyber security incident, it will always be a case of dealing with what you know at the time,” he said. “What we know from the statistics is that the key risk for cyber incidents remains human error – things like responding to phishing attacks or falling for ‘man in the middle’ attacks.
“Consumer awareness and expectation is much greater now than it was say five years ago and the regulators are becoming more active as enforcers rather than just educating people about the dangers. So it is important to be prepared, and vigilant – implementing and updating both operational measures as well as technical controls to minimise the risk of falling victim to a ransomware attack and being aware of your legal obligations if you are considering paying in response to a ransom demand.”
