TechLAW 2016 Melbourne - DLA Piper · 2016-08-03 · TechLAW 2016 Melbourne 3 August 2016 . TechLAW...

TechLAW 2016 Melbourne

3 August 2016

TechLAW Australia 2016

Agenda

2

9.30am Welcome and introduction

9.35am Deloitte's technology, media and telecommunications predictions Stuart Scotis, Deloitte

10.15am Cyber security Tim Lyons, DLA Piper

10.50am Wearable technologies Sarah Birkett and Rick Catanzariti, DLA Piper

11.30am Morning tea 11.45am Five key IT contracting issues and trends for large scale organisations

Gavan Mackenzie, DLA Piper

12.25pm IT upgrades Gowri Kangeson, DLA Piper

1.00pm Closing remarks and networking lunch

Deloitte TMT predictions 2016

Stuart Scotis, Partner - TMT, Deloitte

August 2016

Cyber Security – preparing for a breach

Tim Lyons, Partner

August 2016


Current Threat Environment - Strategic Importance

Diverse and evolving legal and regulatory landscape

Exponential growth of information

Growing protection challenge

Corporate requirements and privacy collide

Data and information breaches/disputes

- High cost of mistakes

5

Not all actors are equal D

AMAG

E

PO

TEN

TIAL

Nation State

Hostile Non-State or Quasi-State Actor

Political Movement Anarchist

Business Organisation

Criminal Gang Fraudster

Prankster

Motivation

Individual Loose aggregation Structured organisation

Ideology/ Self-interest

Profit/ Financial advantage

Command/ coercion

Ego

Hacker

ICT SKILLSETS REQUIRED / AVAILABLE POOL

6 TechLAW Australia 2016

Social engineering 'spoof' emails; VIP impression; phishing/spear phishing

Remote Access Tools (RATs)

Compromised computers 'bots; zombies

Watering-holes compromised legitimate website

DOS/DDOS 'botnets

DDOS extortion – ACSC report

Hacktivism

And not all threats are the same


Data Breaches in the News


http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRxqFQoTCLuK2avhj8gCFcgN2wod9hYBsA&url=http://www.eudataprotectionlaw.com/learning-from-ashley-madison/&psig=AFQjCNFD9zzZ5Tfor8JlLNiPgThU8k_i6g&ust=1443187171675470

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&docid=709kurH5gSO6LM&tbnid=HmSPVQQsZYLxnM:&ved=0CAUQjRw&url=http://article.wn.com/view/2014/05/06/target_ceo_x2019s_ouster_shows_rising_focus_on_breaches/&ei=vpORU7K6IKrQ7AaDhoHwDg&bvm=bv.68445247,d.ZGU&psig=AFQjCNHgTylu0Pb-bB_HBnOAt7gwG6DMeA&ust=1402135844945824

But it will never happen to me…will it…?

Total average cost of a data breach is now

$2.64 million (Australia)

Average cost paid for each lost or stolen record is $142

Source: Ponemon Institute 2016 - Global Cost of a Data Breach

In a survey commissioned by the UK government 90% of large organizations suffered a breach in the past

year alone, compared to 80% in the previous year.

…and so what if it did?


Above the surface well known cyber incident costs Customer breach notifications

Post-breach customer protection

Regulatory compliance (fines)

Public relations/crisis communications

Legal fees and litigation

Cybersecurity improvements

Technical investigations

Below the surface hidden or less visible costs Insurance premiums increases

Increased cost to raise debt

Operational disruption or destruction

Lost value of customer relationships

Value of lost contract revenue

Devaluation of trade name

Loss of intellectual property

10

Where do these costs come from?

Source: Deloitte - 'Fourteen Cyberattack impact factors'


This is an IT issue though, right?

Boards of Directors increasingly see CEO's as the ones responsible for implementing and maintaining cybersecurity procedures and protection measures.

But only 31 percent of executives were confident in their organization's cyber-security posture.

Survey conducted by Raytheon

General counsel listed data privacy/security as one of their top concerns.

But 60 percent said their companies still lack the proper preparation for a cyber breach.

Recent survey by The Consero Group


Some specific statistics from Australia

Australian Signals Directorate (2015 ACSC Threat Report) Responds to cyber incidents involving Australian Government

networks:

CERT Australia (2014)

2011 2012 2013 2014

No. of incidents 313 685 940 1131

Increase on previous year N/A 119% 37% 20%

Sector: Energy Fin. Services Comms Defence Trans. Others

Percentage of total: 29% 20% 12% 10% 10% 19%


ASIC guidance and requirements

Report 429 - "Cyber resilience: Health check" – published in March 2015

ASIC noted that corporates must consider how and when a cyber attack may need to be disclosed as market-sensitive information in accordance with continuous disclosure obligations

Directors' obligations to take cyber risks into account when discharging their duties in considering risk management issues

We are seeing more active engagement of the board and senior executives in data management issues


Exposure Draft A serious data breach occurs if:

a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information (or certain other information) held by an entity; and

b) as a result, there is a real risk of serious harm to any of the individuals to whom the information relates.

Harm includes: a) physical harm;

b) psychological harm;

c) emotional harm;

d) harm to reputation;

e) economic harm; and

f) financial harm.

Real risk means a risk that is not a remote risk.

14

Privacy Amendment (Notification of Serious Data Breaches) – Bill 2015


Australian Criminal Intelligence Commission Acts as the national criminal intelligence agency with investigative,

research and information delivery functions.

Australian Federal Police Polices crimes which can be facilitated using technology, such as

fraud, scams and harassment, and monitors potential threats in the domestic and international law enforcement operating environment.

Australian Security Intelligence Organisation Deals with threats to Australia's national security by collecting

security intelligence through technical operations, and assessing and advising the Government on cyber security matters.

Australian Cyber Security Agencies


Australian Signals Directorate Responsible for providing advice and other assistance to ensure

the security of federal and state authorities.

Computer Emergency Response Team (CERT) Australia Acts as the main point of contact in the Government for cyber

security issues affecting Australian businesses and provides advice and support on cyber threats to owners and operators of Australia's critical infrastructure.

Defence Intelligence Organisation Provides intelligence assessments of cyber threats on countries

and foreign organisations relevant to Australia's security and strategic environment.


Australian Cyber Security Strategy 2016 – A Proposed Approach

Table reproduced from https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf, page 32.


An integrated view of cyber-risk management


Do you have a strong governance programme in place?

Do you have an incident response plan in place? Have you tested it?

Are you regularly reviewing, assessing and responding to the threat environment?

Are you managing upstream and downstream risks? Have you aligned operations with commitments? What about cloud-based solutions?

Have you addressed cyber risks in M&A transactions?

How will you (and key partners) respond to a breach? Have you ensured required resources will be available?

How will you manage changes in the regulatory environment (see the impact of the decision that held the Safe Harbor regime to be invalid)?

Does your insurance provide financial cover for data breach risk?

Eight key questions


Appropriate IT, Personnel and Device Level policies

Aligning operations with regulatory and contractual commitments

Compliance training and monitoring compliance

Strong and effective contract rights and ongoing governance of partners

Develop and regularly test incident response plans – ensure links to critical vendors are considered

BCP/DR plans and facilities

Information sharing and feedback

Cyber-insurance protection

Eight cyber-incident threat mitigations


DLA Piper tools and resources


Wearables in the workplace Legal implications and challenges

Sarah Birkett and Rick Catanzariti

August 2016

Productivity gains 'smart' glasses and GPS to locate factory stock

OHS Safety vests with inbuilt sensors

'Smart' caps or safety helmets to monitor fatigue

Wellness programmes improve health and wellbeing of workers

encourages participation

reduce corporate healthcare costs

Trends in wearables in the workplace


The 'employee records exemption' under the Privacy Act likely won't apply:

– third parties involved in collection of information

– activity during work hours vs activity 'out of hours'

Employers likely need to comply with the Privacy Act in relation to personal information collected by wearables:

– APP 1 – need to have an APP-compliant privacy policy

– APP 5 – need to provide notice to employees about what information is being collected, why, how it will be used etc.

– APP 8 – requirements that apply before information can be disclosed to recipients outside Australia

– APP 11 – requirements to protect personal information from misuse, modification, loss, unauthorised disclosure etc.

What privacy considerations might apply?


Is the information collected 'sensitive information'?

Can the information be used for marketing or other purposes?

What privacy considerations might apply?


There are specific workplace surveillance laws in NSW and the ACT - Workplace Surveillance Act 2005 (NSW) and Workplace Privacy Act 2011 (ACT) – with some limited coverage of workplace surveillance by optical or listening devices in Victoria (under the Surveillance Devices Act 1999 (Vic))

Requirements include notification to employees, having policies in place, limitations on use

Regimes apply more broadly than just to wearables, so organisations may already have policies and processes in place (eg, because of existing IT monitoring activities) that can be adapted

ALRC has called for uniform workplace surveillance laws in its report "Serious Invasions of Privacy in the Digital Era" published in March 2014, but does not appear to have been any move to introduce such legislation as yet

Are the proposed activities subject to specific 'workplace surveillance' legislation?


Will the information collected be used for disciplinary / performance management purposes? Need to be clear with employees about how it will be used

More information about employees could potentially give rise to obligations to make 'reasonable adjustments' for employees

Potential for discrimination and unfair dismissal claims

Possible implications under WHS and workers' compensation laws: Does greater knowledge change the duty of care to workers?

Mental wellbeing as well as physical

Information relating to employees' behaviour and activities 'out of hours' vs those at work (eg, interrupted sleep)

What other employment law considerations should employers take into account?


Morning tea

IT contracting issues and trends for large scale organisations

Gavan Mackenzie, Special Counsel

August 2016

1. Outcome-based contracting

2. Supplier collaboration

3. Software licensing compliance

4. Data protection

5. Cognitive computing / smart contracts

TechLAW Australia 2016 30

The five issues and trends

Issue:

How to contract for what really matters

Definition of an outcomes based contract:

An agreement based on results, not defined tasks or the use of specific assets or inputs


1. Outcome-Based Contracting

Benefits:

Supplier can be more flexible and innovative

Reduces costs to both parties

Supplier can be more responsive to customer objectives

Challenges:

Determining the outcomes

Measuring performance

Changing the management culture


1. Outcome-Based Contracting

Issue:

Multi-vendor projects depend on collaboration between suppliers

Features of a effective collaboration framework:

1. Supplier collaboration deed

2. Identify supplier inter-dependencies

3. Multi-party governance model

4. Additional contract rights remedies


2. Supplier Collaboration

Issue: How do you control the complexity of software licensing?

Solution: 1. Consolidate and simplify the contractual arrangement

2. Use a single standard vendor agreement if possible

3. Specify rights and metrics in one document (avoid hyperlinks, unilateral rights of change)

4. Establish a compliance management process

5. Rectify licences to reflect current usage before a claim is made

6. Renegotiate licence terms when changes are needed


3. Software Licensing Compliance

Data protection in Europe - General Data Protection Regulation

GDRP applies from 25 May 2018

Interesting features:

harmonised framework

consent requirements

right to be forgotten

strengthened sanctions

off-shore application


4. Data Protection

Issue:

Controlling legal risks associated with automated or interactive computer programming

Definition – Cognitive Computing: Systems that learn at scale, reason with purpose and interact with humans naturally

Definition – Smart Contract:

Computing program that automatically executes terms of an agreement once certain conditions have been fulfilled


5. Cognitive Computing / Smart Contracts

Issues:

Cognitive Computing Risk of error and liability

Reliance by non-contracting parties

Disclaimers

Privacy issues

Smart Contracts Inflexible agreement

Lack of security

Risk of error

Lawyers will have to learn to code to ensure the coding is clear and watertight

Can't deal with unpredictable events


5. Cognitive Computing / Smart Contracts

LITIGATION TRENDS SPOTLIGHT ON IT UPGRADES: How to prevent debacles and what to do if they happen

Gowri Kangeson, Partner

August 2016

Contractual disputes: Managing poor service delivery (and termination of contracts): This presentation

Employment disputes – competitors poaching talent & IP

Cyber security – data privacy and data security: DLA's Cyber Security session

Governmental investigations, regulatory actions and possible related class actions: penalising or reviewing alleged cases of bribery, kick back investigations, consumer protection (e.g. misleading conduct or unfair contract terms)

Intellectual property litigation: High-profile patent, copyright and other intellectual property disputes, counterfeit electronics


Litigation trends: spotlight

What worries Australian corporations “Consistent with their global counterparts, Australian respondents cited an increase in class actions as their greatest future threat. Apart from class actions, Australian companies also fear the burden of dealing with a generally more litigious environment.”


Recent Litigation Trends Survey

Provide the technical and functional specifications required by the customer

Must be clearly set out

More than just "business requirements"

Functional Requirements

Design Solution


Specifications

The customer will require a project plan to be included in the agreement setting out time frames for meeting specified milestones

The customer must be notified of any delays together with the cause of that delay

Only the customer should be permitted to extend delivery times


Project Plan and Milestones

The customer should conduct acceptance testing in relation to deliverables

The deliverables need to perform in accordance with the specifications

What happens if acceptance tests are not passed?


Acceptance Testing

"The essence of liquidated damages is a genuine covenanted pre-estimate of damage" Ringrow Pty Ltd v BP Australia Pty Ltd (2005) 224 CLR 656


Liquidated Damages

If the supplier is licensing software or materials to the Customer, the licence terms must permit the required use of the deliverable

The licence should be:

perpetual

royalty free

transferable

sub-licensable


Licence Terms

Period where the supplier is promptly required to rectify defects at no additional charge

Customer should seek a warranty period of at least 90 days

This should be preceded by a shakedown period

Customer uses software/solution in production to monitor the performance

The shakedown period should operate until the software/solution operates for a period of 30 days without defects


Warranty and Shakedown

Service Levels

Specific standards of performance that need to be achieved

Service Credits

Reduction in fees if the supplier does not meet the Service Levels


Service Levels and Service Credits

SLA

Supplier Client

Service delivery

Customer Requirements

Has a binding contract been formed? If so, on what terms? (Incorporation of general conditions)

Review the contract and any variations, POs, emails – changed/extra work

Can you easily identify the requirement(s) which have been breached?

Obtain an understanding of the reasons for failure to meet the requirements

Do we know of all the promises/representations made by the supplier?

Has there been a delay by the customer? What has the supplier said to date?

Prevent waivers

Do any laws modify the contractual position?

Should a formal notice of breach be issued? Should steps be taken to preserve the position?

Is there an indemnification clause? Does it cover the situation?

Is the supplier's insurance coverage relevant?


What to do if they happen?

Is there a liquidated damages clause? Does it cover all losses suffered?

Double recovery – general damages, liquidated damages, rectification costs

Can the customer legitimately withhold, retain or set off payments? Is there a process in the contract to follow if such a move is contemplated?

Can the customer call on the performance guarantee? Should the customer elect to do this?

Is there an exclusive remedies clause in the contract?

What are the dispute resolution provisions in the contract?

What is the best tactic to resolve the dispute?

Should the customer rely on any suspension or termination provisions?

What leverage does the customer or supplier have? Global relationship (routine review of strategic partners), how many contracts we have with the supplier, future opportunities to work together, senior management meeting, audit rights

Involve lawyers and experts in determining the next steps


What to do if they happen?

Use an expert IT internal project manager and a good business analyst

Be flexible & reasonable (in particular with data migration and features)

Communication is key: Regular communication at the senior management level of the project and

implementation timeline

Dashboard updates for senior management

Be transparent about the progress and costs

Recognise upfront the difficulties with completing a project quickly – number of stakeholders, knowledge of stakeholders, risk appetite of customer

Store the contractual terms, exhibits, annexures and summaries together

Routine contract compliance reviews for major supply contracts – audits, variations, track insurance and risk allocation provisions and avoid waivers

Regular contract reporting

Connect & communicate with the business/operations team – context of drafting, business value and benefit of your insights


Contract Management Tips

Ensure adequate assessment of vendor capability to deliver the project

Ensure effective project management and project governance

Manage the politics and different interest groups

Consistent and tenacious monitoring of progress with project delivery

Clearly articulate the business requirements for the system purchased including changes and upgrades required to integrate to the existing IT infrastructure system

Think about whether the technology will be obsolete within a short period?

Commitment to adequate testing before Go Live


Contract Management Tips

Properly and clearly document compliance with procurement guidelines

Ensure appropriate contact is maintained with the customer

Disclose what you need to disclose to the customer

Do not mislead the customer

If a sub-contractor is involved – disclose this

Ensure you can demonstrate that you have reasonable grounds to state that the project will cost X and take Y to complete


Avoid a corruption inquiry

Closing remarks and lunch

TechLAW 2016 Melbourne - DLA Piper · 2016-08-03 · TechLAW 2016 Melbourne 3 August 2016 . TechLAW...

Documents

Transcript of TechLAW 2016 Melbourne - DLA Piper · 2016-08-03 · TechLAW 2016 Melbourne 3 August 2016 . TechLAW...