2017: In Review
2017: In Review
The biggest Tech trends and events of the Year
2017 has been another frenetic and significant year for the technology sector. In keeping with Commvault and Maddocks' joint mission to deliver you practical guidance, our end of year wrap-up highlights the most significant technology trends of the year impacting business, Government and the way we live, as well as highlighting some top priorities for the new year.
Whether you are an IT manager confronted with the challenges of digital transformation and coming to terms with the frequency, scale, sophistication and severity of data breaches; an executive aiming to increase your cyber awareness and literacy, including understanding breakthrough technologies such as blockchain; or an overworked in-house counsel trying to keep up with the rapid pace of regulatory change, including the introduction of the GDPR and mandatory data breach laws, this article will assist you take stock and develop your "to do" list for 2018.
2 2017 IN REVIEW
2017 in statistics
It pays to respond quickly to a data breach: According to a June 2017 study by IBM and the Ponemon Institute LLC, if the mean time to contain a data breach was less than 30 days, the estimated average total cost of data breach was $2.83 million versus $3.77 million if the time to contain was over 30 days.
Negative publicity on data breaches damages
34%the bottom line:
of the service providers surveyed by Cisco reported that they had lost revenue due to attacks in the past year.
of executives are seriously backing the power of AI: According to PwC's 2017 report on AI `Bot. Me: A Revolutionary Partnership', business leaders believe AI is going to be fundamental in the future. In fact, 72% termed it a `business advantage'.
The more sensitive the personal information, the higher the ramifications for an organisation if there is a data breach: IBM and the Ponemon Institute LLC identified that the average global cost of data breach per lost or stolen record was $141. However, health care organisations had an average cost of $380 per record and financial services had an average cost of $245 per record.
Industry has increasing
734awareness of cyber threats: Of
the cyber incidents affecting industry that the Australian Cyber Security Centre (ACSC) responded to during 2016 2017, 58 percent were self-reported by industry and 42% were instead detected by the ACSC.
2017 IN REVIEW
Under Attack Increasingly significant cyber breaches
Cyberattacks were prolific in 2017. Cyber meltdowns came thick and fast, appearing in the news with alarming frequency. Our top 5 breaches of the year are listed below. These high profile cyber events illustrate the sheer pace with which cyber threats can spread around the globe and how quickly they can bring organisations to a standstill by impacting core functions.
Occurring in May 2017, the worldwide cyberattack by the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows by encrypting data and demanding ransom payments. By day 5 it had infected more than 230,000 computers in over 150 countries. The UK's National Health Service had to run a number of services on an emergency-only basis.
Despite the impact of WannaCry the subsequent Petya and NotPetya attacks revealed that many organisations continued to remain vulnerable to ransomware and malware targeting Windows-based systems. This was principally because businesses opted to delay scheduled maintenance windows.
In July 2017, The Guardian reported that a darknet vendor on a popular auction site for illegal products had access to Australians' Medicare card details and could supply them on request. At least 75 Australians' personal details were reported to have been sold on the site. This led to an investigation by the Australian Federal Police and the government announcing a review into the security of Medicare online. In September 2017, the panel delivered its report on the review to the government. Recommendations included that the Department of Human Services undertake a public awareness campaign encouraging people to protect their Medicare card details and tighter control of batch requests for Medicare card numbers through health professional online services.
A massive data breach hit the US in September with listed global information solutions company Equifax Inc. announcing a cybersecurity `incident' potentially impacting a whopping 143 million US consumers. To put this into context, that is nearly half the US population. It was a PR disaster for the company, compounded by calls to the dedicated breach hotline going unanswered.
4 2017 IN REVIEW
In August the Australian Information and Privacy Commissioner, Timothy Pilgrim, published his investigation into the Australian Red Cross Blood Service's DonateBlood.com.au data breach. The charity organisation passed with flying colours with Pilgrim noting, "data breaches can still happen in the best organisations -- and I think Australians can be assured by how the Red Cross Blood Service responded to this event. They have been honest with the public, upfront with my office, and have taken full responsibility at every step of this process." Organisations take note!
In November, Uber admitted to covering up a massive hack of 57 million users' data by paying the hackers responsible $132,000 to delete the data and to keep the breach quiet. The ride share company's poor handling of the data breach is likely to be a massive headache for new boss Dara Khosrowshahi who was recruited earlier this year to clean up the company's murky corporate culture.
You are only as strong as your weakest link. Companies with branches in emerging markets have been found to have poor adherence to corporate systems maintenance policies. Further, as we have previously reported, the weakest link in your organisation can often be your people. Effective cyber training and awareness is therefore vital.
`Test regularly you don't know what you don't know. Testing helps to uncover and address risks'
NATHAN DRURY WW CUSTOMER EXPERIENCE MANAGER, COMMVAULT
2017 IN REVIEW
Data as an asset
In Sydney you could not escape the sudden explosion of dockless bikes popping up on every street corner, with Reddy Go, Ofo and oBikes all launching in 2017. And while debate raged in newspapers and online forums as to whether the bikes were corporate clutter or a fantastic social and environmental model, the share bikes highlight a key trend. Many commentators have expressed the view that the value of the business is not the product itself but the sheer amount of data collected by the use of the bikes.
The Sydney Morning Herald recently reported that retail giant Woolworths re-established its dominance with a surge in September quarter sales. The SMH put the strong performance down to Woolworths' investment in data (Woolworths paid $20 million for a 50 per cent stake in data analytics company Quantium).
These 2017 case studies illustrate that data is an asset regardless of your business offering. Whether it's your customer lists, customer preferences, patient medical records or client financials, personal information and data are the all-important `DNA' of any organisation. How your organisation handles, manages and harnesses data and data insights could mean the difference between market dominance and market failure.
`With thousands of apps, users, processors and regulations, the time for businesses to rethink their data strategy is now. A leadership team and workforce that fully embodies a data-first mentality and approach will drive innovation across all parts of the company'
OWEN TARANIUK VP OF GLOBAL PARTNERSHIP AND MARKET DEVELOPMENT, COMMVAULT
6 2017 IN REVIEW
B is for Blockchain
The words `innovation' and `disruption' are so overused these days that we tend to cringe when they are uttered. But you get the idea. At its simplest, Blockchain is a distributed ledger a chain of information, chronologically organised in blocks replicated by all computers in a participating network.
The Australian Financial Review has had a constant stream of articles on how banks plan to use blockchains, but the applications and implications
of this technology reach well beyond banking. It can be used to verify the provenance of consumer products, provide the basis for digital evidence for your organisation when making a patent claim and process any number of transactions.
As Commvault CEO Bob Hammer says "Blockchain is going to be everywhere. It's just another element that you have to manage."
Key stakeholders within your organisation need to understand both the possibilities and limitations of blockchain.
2017 IN REVIEW
Artificial Intelligence Ascends
While we have been talking about Artificial Intelligence (AI) and Machine Learning (ML) for some time, 2017 saw a significant shift from talk to action.
We even saw Dubai Police reveal their first robot officer in May 2017, tasked with patrolling the city's malls and tourist attractions. In MIT SMR's 2017 report on artificial intelligence
and business strategy, which is based on interviews with more than 3,000 business executives, managers, and analysts in 112 countries and 21 industries, 84% of respondents say AI will enable them to obtain or sustain a competitive advantage.
Closer to home, big Australian brands such as NAB, Coca-Cola, Bupa, IAG, AMP, Ladbrokes and
Woolworths are all using AI and ML to gain a competitive edge. And, while the application of AI and ML can sometimes be terrifying (if you need evidence beyond the threat to jobs, watch the eyepopping documentary `The Sexbots are Coming' available on ABCiview) it is clear that organisations need to continue to develop their AI strategy.
Relevant stakeholders need to wade through the hype and seriously consider how AI and ML can be used for competitive advantage.
8 2017 IN REVIEW
Greater regulation The GDPR and Mandatory Data Breach
The passing of some of the most onerous laws and regulations in recent time will have significant implications for the way in which organisations do business and handle personal information.
Mandatory Data Breach
Soon organisations will have no choice but to report serious data breaches which meet certain criteria, thanks to the new mandatory data breach laws under the Australian Privacy Act 1988 (Cth) which come into force on 22 February 2018. For more information, check out our `deep-dive' into the new laws.
From 25 May 2018, a new regime of personal data protection requirements in the European Union known as the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) will come into effect. And it is not just for organisations based in the EU the GDPR has unprecedented extraterritorial reach and will apply to many companies and government entities in Australia and elsewhere. Your organisation will be caught by the GDPR if it processes the `personal data' of people in the EU and:
offers goods or services to people in the EU;
monitors the behaviour of people in the EU; or
has an office in the EU.
Businesses face fines of up to 4% of annual global turnover or 20 million if they are in breach of the GDPR. For more information on the key aspects of the GDPR and practical ways to prepare for it before 25 May 2018, you can access our user-friendly guide to the GDPR and tips for responding to data breaches.
The clock is ticking, refer to our following checklist.
`Sound data breach practice is all about being proactive and having a clearly understood and effective data breach response plan.
Most users understand that attacks are becoming more complex, more sophisticated and more frequent.
What they don't expect (and shouldn't experience) are insufficient security of their personal information and late or no communication.'
MICHAEL BISHOP APAC LEGAL DIRECTOR, COMMVAULT
2017 IN REVIEW
10 2017 IN REVIEW
Your 2018 Checklist
Before you log off for the end of the year, be sure to include the following on your `to do list' so that you are ready to hit the ground running when you return in 2018:
Are you mandatory data breach ready?
Do you have a robust Data Breach Response Plan in place? Have you undertaken the steps in our Review Refine Retest Respond model?
Check you are GDPR ready. Have you:
Assessed whether your organisation is required to comply with the GDPR? Mapped out the data flows to and from your business? Asked stakeholders in the business to complete questionnaires about data processing operations that may be caught by the GDPR? Considered how to structure your consents to comply with stricter requirements? Reviewed your internal data management policies and privacy notices to ensure that they comply? Reviewed and updated the terms in your key supplier and customer agreements to include the compulsory contractual clauses regarding processors' obligations and dealing with transfer of personal data outside the EU?
If you are an Australian Government Agency:
Are you ready for the new Privacy (Australian Government Agencies -- Governance) APP Code 2017 coming into effect on 1 July 2018? Do you have a privacy management plan? Is there at least one designated Privacy Officer (who is the primary contact point for advising on privacy matters)? Do you have a designated Privacy Champion (who is a senior official and must provide leadership within the agency on strategic privacy issues)? Have you included privacy education training in staff induction programs? Do staff receive annual privacy education training? Have you scheduled regular reviews of your privacy practices for compliance with the APPs?
If you are planning on implementing new technology products and services:
Have you determined whether a Privacy Impact Assessment (PIA) may be legally required? Both the GDPR and the Code require a PIA to be conducted in certain circumstance and the OAIC recommends a PIA be conducted on a voluntary basis).
2017 IN REVIEW 11
Expert comments and predictions
Brendan Tomlinson | Maddocks Special Counsel 61 2 9291 6121 email@example.com
It's been another huge year in tech. In terms of trends, many of our clients have turned to agile development for their IT projects; cloud issues continue to receive plenty of focus; and we've assisted on a number of interesting FinTech offerings. This year bitcoin really
hit the mainstream. Public sector IT spend was again very large ($5.7 billion for the Commonwealth in
2016-17) as were the number of troubled IT projects, with the Victorian Government joining the NSW and
Federal Governments in introducing whole of government portfolio management office functions to improve
how projects are monitored. Large tech companies have been under pressure for paying little or nothing to
the ATO, and, just at year-end, the US has voted to repeal net neutrality.
Looking ahead, 2018 is clearly going to be a busy time for organisations getting ready for mandatory data breach notification and the GDPR. We've been assisting a number of clients prepare for both, and I think organisations will increasingly realise the GDPR applies to them and that compliance will require significant effort.
Please also see our TechKnowChat end of year mini-series for comments from Maddocks partner Brendan Coady and special counsel Sean Field.
12 2017 IN REVIEW
If you would like further information about your business's privacy obligations, please contact Commvault or Maddocks.
Michael Bishop | Commvault APAC Legal Director 61 2 8243 9815 mbishop@Commvault.com
Brendan Tomlinson | Maddocks Special Counsel 61 2 9291 6121 firstname.lastname@example.org
Sonia Sharma | Maddocks Senior Associate 61 2 9291 6143 email@example.com
Emily Lau | Maddocks Lawyer 61 2 9291 6141 firstname.lastname@example.org
2017 IN REVIEW 13
Maddocks (December 2017)
The copyright in this publication is owned by Maddocks. All rights are expressly reserved. This publication may not be downloaded, printed or reproduced, in whole or in part, without the prior written consent of Maddocks. Copyright enquiries and requests for additional copies should be directed to Maddocks.
This publication provides general information which is current as at the time of production. The information contained in this communication does not constitute legal or other advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information and any action taken or decision made by any party based on this publication is not within the duty of care of Maddocks. Maddocks disclaims all responsibility and liability (including, without limitation, for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information contained in this publication. Any party that relies on the information contained in this publication does so at its own risk. Access to this publication is not intended to create nor does it create a solicitor-client relationship between the reader and Maddocks.
Maddocks House Level 1, 40 Macquarie Street Barton ACT 2600 Australia 61 2 6120 4800
Collins Square | Tower Two Level 25, 727 Collins Street Melbourne VIC 3008 Australia 61 3 9258 3555
Angel Place Level 27, 123 Pitt Street Sydney NSW 2000 Australia 61 2 9291 6100