TechLAW 2016 Sydney - DLA Piper/media/Files/Insights... · Australian Security Intelligence...
Transcript of TechLAW 2016 Sydney - DLA Piper/media/Files/Insights... · Australian Security Intelligence...
TechLAW 2016 Sydney
27 July 2016
TechLAW Australia 2016
Agenda
2
9.30am Welcome and Introduction Tim Lyons, Partner & Head of Technology Sector, Australia, DLA Piper
9.35am Deloitte's TMT predictions Stuart Johnston, Leader, Technology, Media and Telecommunications , Deloitte
10.15am Cyber security Tim Lyons, Partner & Head of Technology Sector, Australia, DLA Piper
10.55am Five key IT contracting trends and issues for large scale organisations Caroline Atkins, Partner, DLA Piper
11.30am Morning tea
11.45am IT upgrades Gowri Kangeson, Partner, DLA Piper
12.25pm Wearable technologies Panel discussion hosted by Nicholas Boyle, Senior Associate, DLA Piper featuring Brett Feltham, Partner, DLA Piper, Duncan Young, Head of Workspace Health & Wellbeing, Lendlease and Allen Liao, Founder of Tzukuri
1.00pm-1.30pm Closing remarks and lunch
Deloitte TMT predictions 2016
Stuart Johnston, Leader - TMT, Deloitte
July 2016
Cyber Security – preparing for a breach
Tim Lyons, Partner
27 July 2016
TechLAW Australia 2016
Current Threat Environment - Strategic Importance
Diverse and evolving legal and regulatory landscape
Exponential growth of information
Growing protection challenge
Corporate requirements and privacy collide
Data and information breaches/disputes
- High cost of mistakes
5
Not all actors are equal D
AMAG
E
PO
TEN
TIAL
Nation State
Hostile Non-State or Quasi-State Actor
Political Movement Anarchist
Business Organisation
Criminal Gang Fraudster
Prankster
Motivation
Individual Loose aggregation Structured organisation
Ideology/ Self-interest
Profit/ Financial advantage
Command/ coercion
Ego
Hacker
ICT SKILLSETS REQUIRED / AVAILABLE POOL
6 TechLAW Australia 2016
Social engineering 'spoof' emails; VIP impression; phishing/spear phishing
Remote Access Tools (RATs)
Compromised computers 'bots; zombies
Watering-holes compromised legitimate website
DOS/DDOS 'botnets
DDOS extortion – ACSC report
Hacktivism
And not all threats are the same
7 TechLAW Australia 2016
Data Breaches in the News
8 TechLAW Australia 2016
But it will never happen to me…will it…?
Total average cost of a data breach is now
$2.64 million (Australia)
Average cost paid for each lost or stolen record is $142
Source: Ponemon Institute 2016 - Global Cost of a Data Breach
In a survey commissioned by the UK government 90% of large organizations suffered a breach in the past
year alone, compared to 80% in the previous year.
…and so what if it did?
9 TechLAW Australia 2016
Above the surface well known cyber incident costs Customer breach notifications
Post-breach customer protection
Regulatory compliance (fines)
Public relations/crisis communications
Legal fees and litigation
Cybersecurity improvements
Technical investigations
Below the surface hidden or less visible costs Insurance premiums increases
Increased cost to raise debt
Operational disruption or destruction
Lost value of customer relationships
Value of lost contract revenue
Devaluation of trade name
Loss of intellectual property
10
Where do these costs come from?
Source: Deloitte - 'Fourteen Cyberattack impact factors'
TechLAW Australia 2016
This is an IT issue though, right?
Boards of Directors increasingly see CEO's as the ones responsible for implementing and maintaining cybersecurity procedures and protection measures.
But only 31 percent of executives were confident in their organization's cyber-security posture.
Survey conducted by Raytheon
General counsel listed data privacy/security as one of their top concerns.
But 60 percent said their companies still lack the proper preparation for a cyber breach.
Recent survey by The Consero Group
11 TechLAW Australia 2016
Some specific statistics from Australia
Australian Signals Directorate (2015 ACSC Threat Report) Responds to cyber incidents involving Australian Government
networks:
CERT Australia (2014)
2011 2012 2013 2014
No. of incidents 313 685 940 1131
Increase on previous year N/A 119% 37% 20%
Sector: Energy Fin. Services Comms Defence Trans. Others
Percentage of total: 29% 20% 12% 10% 10% 19%
12 TechLAW Australia 2016
ASIC guidance and requirements
Report 429 - "Cyber resilience: Health check" – published in March 2015
ASIC noted that corporates must consider how and when a cyber attack may need to be disclosed as market-sensitive information in accordance with continuous disclosure obligations
Directors' obligations to take cyber risks into account when discharging their duties in considering risk management issues
We are seeing more active engagement of the board and senior executives in data management issues
13 TechLAW Australia 2016
Exposure Draft A serious data breach occurs if:
a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information (or certain other information) held by an entity; and
b) as a result, there is a real risk of serious harm to any of the individuals to whom the information relates.
Harm includes: a) physical harm;
b) psychological harm;
c) emotional harm;
d) harm to reputation;
e) economic harm; and
f) financial harm.
Real risk means a risk that is not a remote risk.
14
Privacy Amendment (Notification of Serious Data Breaches) – Bill 2015
TechLAW Australia 2016
Australian Criminal Intelligence Commission Acts as the national criminal intelligence agency with investigative,
research and information delivery functions.
Australian Federal Police Polices crimes which can be facilitated using technology, such as
fraud, scams and harassment, and monitors potential threats in the domestic and international law enforcement operating environment.
Australian Security Intelligence Organisation Deals with threats to Australia's national security by collecting
security intelligence through technical operations, and assessing and advising the Government on cyber security matters.
Australian Cyber Security Agencies
15 TechLAW Australia 2016
Australian Signals Directorate Responsible for providing advice and other assistance to ensure
the security of federal and state authorities.
Computer Emergency Response Team (CERT) Australia Acts as the main point of contact in the Government for cyber
security issues affecting Australian businesses and provides advice and support on cyber threats to owners and operators of Australia's critical infrastructure.
Defence Intelligence Organisation Provides intelligence assessments of cyber threats on countries
and foreign organisations relevant to Australia's security and strategic environment.
16 TechLAW Australia 2016
Australian Cyber Security Strategy 2016 – A Proposed Approach
Table reproduced from https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf, page 32.
17 TechLAW Australia 2016
An integrated view of cyber-risk management
18 TechLAW Australia 2016
Do you have a strong governance programme in place?
Do you have an incident response plan in place? Have you tested it?
Are you regularly reviewing, assessing and responding to the threat environment?
Are you managing upstream and downstream risks? Have you aligned operations with commitments? What about cloud-based solutions?
Have you addressed cyber risks in M&A transactions?
How will you (and key partners) respond to a breach? Have you ensured required resources will be available?
How will you manage changes in the regulatory environment (see the impact of the decision that held the Safe Harbor regime to be invalid)?
Does your insurance provide financial cover for data breach risk?
Eight key questions
19 TechLAW Australia 2016
Appropriate IT, Personnel and Device Level policies
Aligning operations with regulatory and contractual commitments
Compliance training and monitoring compliance
Strong and effective contract rights and ongoing governance of partners
Develop and regularly test incident response plans – ensure links to critical vendors are considered
BCP/DR plans and facilities
Information sharing and feedback
Cyber-insurance protection
Eight cyber-incident threat mitigations
20 TechLAW Australia 2016
DLA Piper tools and resources
21 TechLAW Australia 2016
IT contracting issues and trends for large scale organisations
Caroline Atkins, Partner
July 2016
1. Outcome-based contracting
2. Supplier collaboration
3. Software licensing compliance
4. Data protection
5. Cognitive computing / smart contracts
TechLAW Australia 2016 23
The five issues and trends
Issue:
How to contract for what really matters
Definition of an outcomes based contract:
An agreement based on results, not defined tasks or the use of specific assets or inputs
TechLAW Australia 2016 24
1. Outcome-Based Contracting
Benefits:
Supplier can be more flexible and innovative
Reduces costs to both parties
Supplier can be more responsive to customer objectives
Challenges:
Determining the outcomes
Measuring performance
Changing the management culture
TechLAW Australia 2016 25
1. Outcome-Based Contracting
Issue:
Multi-vendor projects depend on collaboration between suppliers
Features of a effective collaboration framework:
1. Supplier collaboration deed
2. Identify supplier inter-dependencies
3. Multi-party governance model
4. Additional contract rights remedies
TechLAW Australia 2016 26
2. Supplier Collaboration
Issue: How do you control the complexity of software licensing?
Solution: 1. Consolidate and simplify the contractual arrangement
2. Use a single standard vendor agreement if possible
3. Specify rights and metrics in one document (avoid hyperlinks, unilateral rights of change)
4. Establish a compliance management process
5. Rectify licences to reflect current usage before a claim is made
6. Renegotiate licence terms when changes are needed
TechLAW Australia 2016 27
3. Software Licensing Compliance
Data protection in Europe - General Data Protection Regulation
GDRP applies from 25 May 2018
Interesting features:
harmonised framework
consent requirements
right to be forgotten
strengthened sanctions
off-shore application
TechLAW Australia 2016 28
4. Data Protection
Issue:
Controlling legal risks associated with automated or interactive computer programming
Definition – Cognitive Computing: Systems that learn at scale, reason with purpose and interact with humans naturally
Definition – Smart Contract:
Computing program that automatically executes terms of an agreement once certain conditions have been fulfilled
TechLAW Australia 2016 29
5. Cognitive Computing / Smart Contracts
Issues:
Cognitive Computing Risk of error and liability
Reliance by non-contracting parties
Disclaimers
Privacy issues
Smart Contracts Inflexible agreement
Lack of security
Risk of error
Lawyers will have to learn to code to ensure the coding is clear and watertight
Can't deal with unpredictable events
TechLAW Australia 2016 30
5. Cognitive Computing / Smart Contracts
Morning tea
LITIGATION TRENDS SPOTLIGHT ON IT UPGRADES: How to prevent debacles and what to do if they happen
Gowri Kangeson, Partner
July 2016
Contractual disputes: Managing poor service delivery (and termination of contracts): This presentation
Employment disputes – competitors poaching talent & IP
Cyber security – data privacy and data security: DLA's Cyber Security session
Governmental investigations, regulatory actions and possible related class actions: penalising or reviewing alleged cases of bribery, kick back investigations, consumer protection (e.g. misleading conduct or unfair contract terms)
Intellectual property litigation: High-profile patent, copyright and other intellectual property disputes, counterfeit electronics
TechLAW Australia 2015 33
Litigation trends: spotlight
What worries Australian corporations “Consistent with their global counterparts, Australian respondents cited an increase in class actions as their greatest future threat. Apart from class actions, Australian companies also fear the burden of dealing with a generally more litigious environment.”
TechLAW Australia 2015 34
Recent Litigation Trends Survey
Provide the technical and functional specifications required by the customer
Must be clearly set out
More than just "business requirements"
Functional Requirements
Design Solution
TechLAW Australia 2016 35
Specifications
The customer will require a project plan to be included in the agreement setting out time frames for meeting specified milestones
The customer must be notified of any delays together with the cause of that delay
Only the customer should be permitted to extend delivery times
TechLAW Australia 2016 36
Project Plan and Milestones
The customer should conduct acceptance testing in relation to deliverables
The deliverables need to perform in accordance with the specifications
What happens if acceptance tests are not passed?
TechLAW Australia 2016 37
Acceptance Testing
"The essence of liquidated damages is a genuine covenanted pre-estimate of damage" Ringrow Pty Ltd v BP Australia Pty Ltd (2005) 224 CLR 656
TechLAW Australia 2016 38
Liquidated Damages
If the supplier is licensing software or materials to the Customer, the licence terms must permit the required use of the deliverable
The licence should be:
perpetual
royalty free
transferable
sub-licensable
TechLAW Australia 2016 39
Licence Terms
Period where the supplier is promptly required to rectify defects at no additional charge
Customer should seek a warranty period of at least 90 days
This should be preceded by a shakedown period
Customer uses software/solution in production to monitor the performance
The shakedown period should operate until the software/solution operates for a period of 30 days without defects
TechLAW Australia 2016 40
Warranty and Shakedown
Service Levels
Specific standards of performance that need to be achieved
Service Credits
Reduction in fees if the supplier does not meet the Service Levels
TechLAW Australia 2016 41
Service Levels and Service Credits
SLA
Supplier Client
Service delivery
Customer Requirements
Has a binding contract been formed? If so, on what terms? (Incorporation of general conditions)
Review the contract and any variations, POs, emails – changed/extra work
Can you easily identify the requirement(s) which have been breached?
Obtain an understanding of the reasons for failure to meet the requirements
Do we know of all the promises/representations made by the supplier?
Has there been a delay by the customer? What has the supplier said to date?
Prevent waivers
Do any laws modify the contractual position?
Should a formal notice of breach be issued? Should steps be taken to preserve the position?
Is there an indemnification clause? Does it cover the situation?
Is the supplier's insurance coverage relevant?
TechLAW Australia 2016 42
What to do if they happen?
Is there a liquidated damages clause? Does it cover all losses suffered?
Double recovery – general damages, liquidated damages, rectification costs
Can the customer legitimately withhold, retain or set off payments? Is there a process in the contract to follow if such a move is contemplated?
Can the customer call on the performance guarantee? Should the customer elect to do this?
Is there an exclusive remedies clause in the contract?
What are the dispute resolution provisions in the contract?
What is the best tactic to resolve the dispute?
Should the customer rely on any suspension or termination provisions?
What leverage does the customer or supplier have? Global relationship (routine review of strategic partners), how many contracts we have with the supplier, future opportunities to work together, senior management meeting, audit rights
Involve lawyers and experts in determining the next steps
TechLAW Australia 2016 43
What to do if they happen?
Use an expert IT internal project manager and a good business analyst
Be flexible & reasonable (in particular with data migration and features)
Communication is key: Regular communication at the senior management level of the project and
implementation timeline
Dashboard updates for senior management
Be transparent about the progress and costs
Recognise upfront the difficulties with completing a project quickly – number of stakeholders, knowledge of stakeholders, risk appetite of customer
Store the contractual terms, exhibits, annexures and summaries together
Routine contract compliance reviews for major supply contracts – audits, variations, track insurance and risk allocation provisions and avoid waivers
Regular contract reporting
Connect & communicate with the business/operations team – context of drafting, business value and benefit of your insights
TechLAW Australia 2016 44
Contract Management Tips
Ensure adequate assessment of vendor capability to deliver the project
Ensure effective project management and project governance
Manage the politics and different interest groups
Consistent and tenacious monitoring of progress with project delivery
Clearly articulate the business requirements for the system purchased including changes and upgrades required to integrate to the existing IT infrastructure system
Think about whether the technology will be obsolete within a short period?
Commitment to adequate testing before Go Live
TechLAW Australia 2015 45
Contract Management Tips
Properly and clearly document compliance with procurement guidelines
Ensure appropriate contact is maintained with the customer
Disclose what you need to disclose to the customer
Do not mislead the customer
If a sub-contractor is involved – disclose this
Ensure you can demonstrate that you have reasonable grounds to state that the project will cost X and take Y to complete
TechLAW Australia 2015 46
Avoid a corruption inquiry
Wearable technologies
Panel discussion hosted by Nicholas Boyle, Senior Associate, DLA Piper featuring Brett Feltham, Partner, DLA Piper, Duncan Young, Head of Workspace Health & Wellbeing, Lendlease and Allen Liao, Founder of Tzukuri
27 July 2016
Closing remarks and lunch