2017 has been another frenetic and significant year for the technology sector. In this series, TechKnowChat Editor Sonia Sharma sits down with members of our Technology team to discuss the major issues of 2017 and what to look out for in 2018.
In our third and final instalment, Partner Caroline Atkins shares with us her views on the introduction of the mandatory data breach laws and what the fallout of the 2016 Census breach looked like.
It’s been seven months since you joined the Maddocks Canberra Office. How is it all going?
The last seven months have been absolutely fantastic. When I and others from the team joined in May 2017, everyone in the firm, and the Canberra office in particular, was so welcoming, and it really was a very seamless transition. All of our clients have been very supportive of the move to Maddocks, and now have the benefit of the additional and complementary expertise within other Maddocks teams, so we have been busier than ever.
There has been a huge spotlight on cyber issues in Canberra and Government. We really saw a fundamental shift in the way in which the Commonwealth Government viewed cyber related issues. Alastair MacGibbon, Department of the Prime Minister and Cabinet, Special Adviser to the Prime Minister has talked a lot about the shift from cyber security to cyber resilience. Can you explain what this means for Commonwealth agencies?
It is important that Commonwealth agencies understand and embrace the difference between cyber security and cyber resilience.
While cyber security is often focused on being reactive and “locking down”, cyber resilience is focused on being proactive, prepared and being able to operate, even during a cyber incident. Recent reports suggest that in 2016, 86% of Australian organisations had experienced attempts to compromise the confidentiality, integrity or availability of their network data system. According to the ACS’ Australia’s Digital Pulse 2017, the estimated cost from a cybersecurity attack is $419,000.
A resilience approach is focussed on taking a “whole of business” approach, working collaboratively with key stakeholders across business units embedding a high privacy culture within Commonwealth agencies. This is something that agencies need to instil in their organisational culture and ensure that everyone is working towards their cyber resilience goal.
There are so many changes happening in 2018 the privacy and data space from the introduction of the mandatory data breach laws and the new Privacy (Australian Government Agencies — Governance) APP Code 2017. Do you have any tips for Commonwealth agencies to manage these significant changes?
The most important thing is for agencies to be aware of these changes, and to understand what they mean for their particular organisation. This goes for all levels of the agency, from the executive leadership team to project officers who handle data, or manage contractors who handle data, on a day to day basis.
I recommend that agencies, if they have not already done so, make sure they take a pro-active approach now, to eliminate the need for urgent changes in systems, approaches and contracts once the new laws come into effect. For example, agencies should be ensuring now that all of their contractual arrangements that will extend after introduction of the new laws, deal appropriately with the new privacy and data security requirements.
Agencies should also make privacy a key consideration in the design and implementation of all of their information management systems. This means that they need to make privacy a key decision making factor in everything they do, instead of relegating it to an afterthought or ‘something to be done once the system is up and running’.
Earlier this year the Turnbull Government announced new legislation to require technology companies to provide “assistance” to intelligence and law enforcement agencies to access encrypted communications. The Bill is expected to be introduced early next year. Tech companies have so far been fairly critical of the proposed laws. How hard is it for Governments to navigate the complex issues around cyber and intelligence.
The point of the proposed legislation is to expand the current powers of law enforcement and intelligence services into the digital world.
It’s certainly no secret that technological development is dramatically outpacing the law. It’s been a constant struggle for Commonwealth, State and Territory governments to update their laws so that they cover new technologies. This is an issue across all areas of law and not just cyber security, for example over the past 5 years there has been a huge shift away from broadcast television toward video on demand services and media laws have struggled to keep up.
The use of end-to-end encryption in everyday communication has increased significantly with many people not even knowing that the messages they send are encrypted. One of the key elements of this proposed legislation (although the details are yet to be released) will be to require technology companies, where there is a valid warrant, to unencrypt certain communication.
The key concern raised by technology companies is a physical ability to do this as the fundamental basis of end-to-end encryption is that the sender and receiver of a message each have an encryption key but the technology company who transmits the message does not.
A key challenge for the Australian Government will be ensuring that the legislation adequately balances technological capability and intelligence requirements.
Can you tell us about the most interesting matter you worked on 2017? What were some of the challenges you faced?
In the wake of the problems with the Census, there has been a real focus on cyber security issues within government agencies. Our Canberra team has been involved in some revolutionary changes in the way that agencies deal with cyber security and general security issues in their contracts. We have drafted new best practice clauses for contracts, including in relation to threatened and actual security breaches and provisions that deal with cyber security insurance which is becoming more and more common. We are now seeing our mechanisms and clauses pop up in all sorts of places which is very exciting.
We have also been involved in the development of public facing avatars (artificial intelligence) for use on Commonwealth agency websites. This is an area where the government is really using some cutting edge technology and it has been fascinating to be involved in.
On specific matters, the most interesting project I worked on was the establishment of the first whole of government technology agreement with SAP. The challenges of this project included that SAP are a very large incumbent supplier to agencies, and the Digital Transformation Agency (our client) did not have as much leverage as it would have for a normal procurement. In addition, the SAP products and services are complex and we needed to negotiate as many default protections as possible for the broadest possible range of agencies. We also needed to assist the DTA to manage the process of engagement with multiple agency stakeholders with a vested interest in the outcome of the negotiations.
Looking towards 2018, what do you see as the biggest TMT issue Government agencies will face?
Even though data security and privacy has been a key government issue for many years, I think this will remain one of the biggest issues for, at least, the next 12 months. For example, recent research on encryption and re-identification of de-identified data means that it will be necessary to re-examine many of tools and technologies that have traditionally been relied on as adequate mechanisms to protect important data.
As mentioned earlier it will be interesting to see how this results some of these new cyber security focused contracts will work in practice and whether the cyber resilience push has the desired effect and reduces the number of cyber security incidents faced by agencies.
On a personal note, what is the one piece of technology you can’t live without?
I know its cliché but I have become very dependent on my iPhone. Whilst in the office it is my connection to the outside world whether it be a quick check of the news or looking at what the Canberra weather has in store. When I am out of the office it provides me with a quick and simple way to check in ensuring that I am able to keep on top of the needs of my clients and can touch base with my staff.
Finally, where would you take us out for the best coffee in Canberra?
I don’t have a favourite coffee place but rather a favourite coffee supplier, ONA. The popularity of ONA is growing rapidly across Canberra and more and more coffee shops have started using their amazing beans. Lucky for me, and the Canberra office as a whole, the Double Drummer coffee shop just down the road has just switched to using ONA coffee, and as a double bonus they have just started selling Canberra’s favourite locally made donuts, Bombolini.
Read our Part 1 of our TechKnowChat end of year mini-series with Sydney Partner Brendan Coady and Part 2 with Sean Field.
More about Caroline: Caroline is a leading technology and IP lawyer renowned for her experience in Australian Government procurement and contracting. Caroline has developed many widely-used RFT and contract precedents, and is a highly effective procurement strategist and negotiator. In 2016 Caroline was named in the Australian Lawyer Hot List of Lawyers for 2016.
More about Sonia: Sonia is a commercial lawyer who specialises in intellectual property, technology and telecommunications matters. She provides strategic, commercially focussed advice to clients in the entertainment, media and telecommunications sector. Sonia was nominated for the Young Achiever category at the 2011 Communications Alliance and CommsDay Awards.