From bytes to rights: The intersection of law and cyber security

We will discuss relevant cyberlaw (generally trying to steer away from the default privacy and breach conversations to other conversations that do not get as much airtime). The specific topics we discuss will be decided close to the conference date so that they are relevant on the day.

Example of questions asked at CyberCon Canberra on the panel:-

1. In the USA we have seen the FTC target Joe Sullivan in relation to the Uber 2014 hack where he was the CISO then, and then the SEC target another CISO, Tim Brown, for the SolarWinds breach. In both cases, the CISOs were specifically pursued while other company officers were not. This has raised numerous conversations in the USA on the legal responsibilities that are now being assumed by regulators by anyone with a CISO title, and how CISOs should be protecting themselves. Do you believe similar regulatory actions will focus on Cyber executives in Australia for failures, or do you believe individuals regulatory responsibilities on Cyber for a company will be address in a different way for us?
2. With the growing understanding of how Cyber can have significant impacts on an organisation, and then how these can also have significant impacts to the economy and populations of the country (e.g. critical infrastructure failures) we see a growing focus on the need to address cyber risk in our supply chain. However this can lead to unrealistic terms and conditions in contracts (especially if there is a power imbalance), the expectations of risk assurance because its covered by a contract terms but the organisations expertise (legal and cyber) not understand the scope and limits, and in some cases unexpected liabilities for customer-of-customers risks. What are some of the practices you have seen that can cause issues, what are some things that could be considered when determining how to address supply chain cyber risk, and how do you think this area will evolve looking forward
3. We wont be able to get away from doing a panel these days without asking about AI. How do you see the legal implications of organisations jumping in head first to using, or creating AI based services and some of the associated organisational impacts that are initially are not obvious that may be linked?