2017 has been another frenetic and significant year for the technology sector. In this series, TechKnowChat Editor Sonia Sharma sits down with members of our Technology team to discuss the major issues of 2017 and what to look out for in 2018.

In our third and final instalment, Partner Caroline Atkins shares with us her views on the introduction of the mandatory data breach laws and what the fallout of the 2016 Census breach looked like.

It’s been seven months since you joined the Maddocks Canberra Office. How is it all going?

The last seven months have been absolutely fantastic. When I and others from the team joined in May 2017, everyone in the firm, and the Canberra office in particular, was so welcoming, and it really was a very seamless transition. All of our clients have been very supportive of the move to Maddocks, and now have the benefit of the additional and complementary expertise within other Maddocks teams, so we have been busier than ever.

There has been a huge spotlight on cyber issues in Canberra and Government. We really saw a fundamental shift in the way in which the Commonwealth Government viewed cyber related issues. Alastair MacGibbon, Department of the Prime Minister and Cabinet, Special Adviser to the Prime Minister has talked a lot about the shift from cyber security to cyber resilience. Can you explain what this means for Commonwealth agencies?

It is important that Commonwealth agencies understand and embrace the difference between cyber security and cyber resilience.

While cyber security is often focused on being reactive and “locking down”, cyber resilience is focused on being proactive, prepared and being able to operate, even during a cyber incident. Recent reports suggest that in 2016, 86% of Australian organisations had experienced attempts to compromise the confidentiality, integrity or availability of their network data system. According to the ACS’ Australia’s Digital Pulse 2017, the estimated cost from a cybersecurity attack is $419,000.

A resilience approach is focussed on taking a “whole of business” approach, working collaboratively with key stakeholders across business units embedding a high privacy culture within Commonwealth agencies. This is something that agencies need to instil in their organisational culture and ensure that everyone is working towards their cyber resilience goal.

There are so many changes happening in 2018 the privacy and data space from the introduction of the mandatory data breach laws and the new Privacy (Australian Government Agencies — Governance) APP Code 2017. Do you have any tips for Commonwealth agencies to manage these significant changes?

The most important thing is for agencies to be aware of these changes, and to understand what they mean for their particular organisation. This goes for all levels of the agency, from the executive leadership team to project officers who handle data, or manage contractors who handle data, on a day to day basis.

I recommend that agencies, if they have not already done so, make sure they take a pro-active approach now, to eliminate the need for urgent changes in systems, approaches and contracts once the new laws come into effect. For example, agencies should be ensuring now that all of their contractual arrangements that will extend after introduction of the new laws, deal appropriately with the new privacy and data security requirements.

Agencies should also make privacy a key consideration in the design and implementation of all of their information management systems. This means that they need to make privacy a key decision making factor in everything they do, instead of relegating it to an afterthought or ‘something to be done once the system is up and running’.

Earlier this year the Turnbull Government announced new legislation to require technology companies to provide “assistance” to intelligence and law enforcement agencies to access encrypted communications. The Bill is expected to be introduced early next year. Tech companies have so far been fairly critical of the proposed laws. How hard is it for Governments to navigate the complex issues around cyber and intelligence.

The point of the proposed legislation is to expand the current powers of law enforcement and intelligence services into the digital world.

It’s certainly no secret that technological development is dramatically outpacing the law. It’s been a constant struggle for Commonwealth, State and Territory governments to update their laws so that they cover new technologies. This is an issue across all areas of law and not just cyber security, for example over the past 5 years there has been a huge shift away from broadcast television toward video on demand services and media laws have struggled to keep up.

The use of end-to-end encryption in everyday communication has increased significantly with many people not even knowing that the messages they send are encrypted. One of the key elements of this proposed legislation (although the details are yet to be released) will be to require technology companies, where there is a valid warrant, to unencrypt certain communication.

The key concern raised by technology companies is a physical ability to do this as the fundamental basis of end-to-end encryption is that the sender and receiver of a message each have an encryption key but the technology company who transmits the message does not.

A key challenge for the Australian Government will be ensuring that the legislation adequately balances technological capability and intelligence requirements.

Can you tell us about the most interesting matter you worked on 2017? What were some of the challenges you faced?

In the wake of the problems with the Census, there has been a real focus on cyber security issues within government agencies. Our Canberra team has been involved in some revolutionary changes in the way that agencies deal with cyber security and general security issues in their contracts. We have drafted new best practice clauses for contracts, including in relation to threatened and actual security breaches and provisions that deal with cyber security insurance which is becoming more and more common. We are now seeing our mechanisms and clauses pop up in all sorts of places which is very exciting.

We have also been involved in the development of public facing avatars (artificial intelligence) for use on Commonwealth agency websites. This is an area where the government is really using some cutting edge technology and it has been fascinating to be involved in.

On specific matters, the most interesting project I worked on was the establishment of the first whole of government technology agreement with SAP. The challenges of this project included that SAP are a very large incumbent supplier to agencies, and the Digital Transformation Agency (our client) did not have as much leverage as it would have for a normal procurement. In addition, the SAP products and services are complex and we needed to negotiate as many default protections as possible for the broadest possible range of agencies. We also needed to assist the DTA to manage the process of engagement with multiple agency stakeholders with a vested interest in the outcome of the negotiations.

Looking towards 2018, what do you see as the biggest TMT issue Government agencies will face?

Even though data security and privacy has been a key government issue for many years, I think this will remain one of the biggest issues for, at least, the next 12 months. For example, recent research on encryption and re-identification of de-identified data means that it will be necessary to re-examine many of tools and technologies that have traditionally been relied on as adequate mechanisms to protect important data.

As mentioned earlier it will be interesting to see how this results some of these new cyber security focused contracts will work in practice and whether the cyber resilience push has the desired effect and reduces the number of cyber security incidents faced by agencies.

On a personal note, what is the one piece of technology you can’t live without?

I know its cliché but I have become very dependent on my iPhone. Whilst in the office it is my connection to the outside world whether it be a quick check of the news or looking at what the Canberra weather has in store. When I am out of the office it provides me with a quick and simple way to check in ensuring that I am able to keep on top of the needs of my clients and can touch base with my staff.

Finally, where would you take us out for the best coffee in Canberra?

I don’t have a favourite coffee place but rather a favourite coffee supplier, ONA. The popularity of ONA is growing rapidly across Canberra and more and more coffee shops have started using their amazing beans. Lucky for me, and the Canberra office as a whole, the Double Drummer coffee shop just down the road has just switched to using ONA coffee, and as a double bonus they have just started selling Canberra’s favourite locally made donuts, Bombolini.

Read our Part 1 of our TechKnowChat end of year mini-series with Sydney Partner Brendan Coady and Part 2 with Sean Field.

More about Caroline: Caroline is a leading technology and IP lawyer renowned for her experience in Australian Government procurement and contracting. Caroline has developed many widely-used RFT and contract precedents, and is a highly effective procurement strategist and negotiator. In 2016 Caroline was named in the Australian Lawyer Hot List of Lawyers for 2016.

More about Sonia: Sonia is a commercial lawyer who specialises in intellectual property, technology and telecommunications matters. She provides strategic, commercially focussed advice to clients in the entertainment, media and telecommunications sector. Sonia was nominated for the Young Achiever category at the 2011 Communications Alliance and CommsDay Awards.

2017 has been another frenetic and significant year for the technology sector. In this series, TechKnowChat Editor Sonia Sharma sits down with members of our Technology team to discuss the major issues of 2017 and what to look out for in 2018.

In our second instalment, Special Counsel (and Joni Mitchell fan) Sean Field discusses the importance of taking a “cyber resilience” approach, the “fourth revolution” of Artificial Intelligence and why your organisation needs to have a clear understanding about its cyber insurance coverage.

It has been a particularly busy year for you, which included you jetting off to the United States for the NIST Cybersecurity Framework Workshop. What was your key takeaway from that conference?

The key takeaway for me from the NIST workshop was the need for the public and private sectors to work together in addressing cybersecurity issues. For example, the way that NIST provides leadership and engages with stakeholders in this area appears to me to be a model that works very well. In Australia all levels of government have made significant progress in this type of dialogue over the last twelve months or so and I think we can continue to learn from the US experience in this regard.

We worked together this year on the launch of the Maddocks Cyber and Data Resilience taskforce and it was fantastic to see it launch officially this November. Can you share with our readers why we decided to focus on ‘resilience’ rather than ‘security’ and what that term means to you?

Thought leadership on cyber in my view means doing more than simply sensationalising the latest data breach or cyber crime. It means moving the debate to focus on resilience – preparing for, responding to and recovering from a cybersecurity incident. From a business perspective, a narrow “security” mindset may result in missed opportunities in the “data economy”. Business must exploit the opportunities offered by the data economy (many of which we don’t know about yet) to gain a competitive edge but within a framework of planning for resilience in the face of a cyber incident.

It was really interesting to read your article about Cyber Insurance and how that topic is still in its infancy in Australia. What should Australian executives and other key stakeholders be doing to get up to speed and mitigate the risks in this area?

Cyber insurance could be an effective way to lay off residual risk but organisations need to be very clear about what risks they might choose to insure. That means understanding what data your organisation holds, where it is located and what are the vulnerabilities – in other words, a risk assessment. Being educated about your own risk position is in my view an essential step before making any approach to market for cyber insurance products. Moreover, insurers will, as part of their risk assessment, want to see that a potential insured has a level of sophistication in this area as this will feed into premiums and perhaps even decisions about whether the insurer wants to take you on as a risk.

There was a lot of hype about Artificial Intelligence this year, but it really appears that AI is being put into practice to give organisations a competitive edge. What are your forecasts for AI in 2018?

We were recently fortunate to have Mr Rajiv Cabraal, Director Legal, Governance and IP, Data 61 (a CSIRO business unit) present to Maddocks on AI and Legal Tech. There was much discussion about the “fourth revolution”. Economic and technological factors seem to be coalescing in a way that will enable AI to move forward in leaps and bounds. For example, the availability and scalability of massive computing power in the cloud at affordable prices is going to crack wide open opportunities for novel AI applications during 2018 and beyond.

Can you tell us about the most interesting matter you worked on 2017? What were some of the challenges you faced?

A long-standing client of mine who is always up to something interesting in the cyber security space is establishing a storage facility for cryptographic keys for use in blockchain applications. At the moment we are advising this client on insuring against the cyber risks associated with the operation of such a facility. It should be no surprise that such a policy would be a novel form of insurance – to my knowledge no such policy has been written.

Looking towards 2018, what do you see as the biggest TMT issue clients will face?

The firm acts for both government and private sector clients and both face a number of similar challenges, albeit from a different perspective. I foresee something of a tussle looming next year over access for law enforcement agencies to encrypted communications. Providers will need to consider how to respond to existing and pending regulation in this area and a big part of this will be how they perceive their role as good corporate citizens in this debate.

On a personal note, what is the one piece of technology you can’t live without?

Well I’d quite like one of those underwater remote controlled vehicles for Christmas. Did that answer the question?

Finally, what will you be watching over the Holiday break and what is your format of choice?

As a keen (but not at all talented) guitarist it’s probably not so much what I’ll be watching as what I’ll be listening to and attempting to play. Right now I’m on a bit of a Joni Mitchell binge. Format of choice for my music – FLAC!

Read our Part 1 of our TechKnowChat end of year mini-series with Sydney Partner Brendan Coady.