Tuesday, 22 November 2016

SAI Global sues former worker for raiding database

By Sarah Danckert Sydney Morning Herald

Nicking a pen or taking some batteries home from the office is almost an Australian past-time, but some people take a whole lot more from their employers and end up paying for it dearly.

Last week, the Federal Court found that an employee at information services and compliance powerhouse SAI Global had accessed the company's database and made copies onto a USB stick and then an Excel spreadsheet before jumping to competitor Infotrack.

Sales staffer Liam Johnstone breached his employment contract with SAI Global, his employment duties under the Corporations Act and the company's copyright through his unauthorised use of SAI Global's confidential data, according to declarations made by Justice Mark Moshinsky.

SAI Global sued Mr Johnstone for a little over $9231 in damages and returned wages as well $275,469 in costs after discovering Mr Johnstone's unauthorised access to their database after he left the company in November last year.

Read more . . . .

Saturday, 4 April 2015

DATA THEFT - Who can help? Very few.

Your data has been stolen. In a way you’re one of the lucky ones, you've found out that your data was stolen and you might even have proof! So what do you do next, who do you call to stop it being used and bring the perpetrator to justice.

Let’s run through some likely options:
  • You call your lawyer, if you have one. If not you need to find one who understands data theft and can advise you. Good luck.

    If you do find one they will ask to see the employees contract, partnership agreement . . whatever agreement the thief had been engaged under.

    They’ll provide their advice as to whether your contract was clear enough in relation to Data, access and use (and it’s probably not that good). In my experience very few contracts adequately cover data theft.

    They might even suggest writing a legal letter to the person requiring the return of the information, threatening further action and the like.

    To get to this point has probably taken 1-2 weeks and cost you between $5,000-$12,000.

  • You call the police. Alas, they’re not interested because it’s a commercial matter. They advise you to call ASIC, the Australian Security and Investment Commission or the Office of Fair Trading.

  • You call ASIC. They are polite but let you know theft of this nature is not within their remit and advise you to call the Police.

  • You call the Privacy Commissioner. They also inform you that they are not responsible for enforcing the law. Depending on annual turnover of your business you may also have woken another monster. If your TO is over $3mil then guess what, you may also be liable to a fine from the Privacy Commissioner. Oh, by the way. The legislation covering you getting fined does not cover the thief, he's entitled to a get out of jail free card. You see in the OAIC's interpretation of security over personal information, it is the businesses owners responsibility not the thief's.

  • You call the Office of Fair Trading. They can’t help, although they are sympathetic and tell you that they’re getting more and more calls about this every day. They suggest, you guessed it, the Police.

  • You go back to your lawyer, or the specialist your lawyer has put you on to discuss progress in relation to the letter that has been sent. Nothing. The lawyer tells you it’s unlikely you’ll be able to successfully sue the person and that if you wanted to it would take at least a year and might cost anywhere between $80,000 to $500,000.

In the end, you have to make the call. Your customers/clients/patients are not returning/making appointments, your staff are feeling the pressure, your suppliers are not being paid as regularly as they use to be, your staff/contractors are also not getting paid on time, you are falling behind on your rent.

You elect not to pursue the thief as you need to focus on your business. Depending on the extent and damage caused by the data theft this may not be so easy. Many businesses just close down.

If you do decide to proceed against the thief in the district or supreme court and your contracts aren't absolutely explicit on who owns the data then prepare yourself for disappointment. A recent case that ran for four years in the Supreme Court returned a decision in favour of the thief. There will be more on this case in a coming article.

Who can help you? Well, you can by recognising the importance of employment contracts that include the necessary clauses in relation to the ownership, use, access levels of the Company’s information and the agreed value of this information. Yes that's right you have to quantify the value of the information or a agree a formula in the agreement on how to determine the value. Your privacy policy with customers and relevant indemnities for any breach of the agreement and or your privacy policy also have to be included in the agreement.

Your employee/contractor will need to sign a clause that he has sought legal advice prior signing the agreement, he will need to initial each paragraph in the agreement that refers to ownership of data and or IP, the indemnity clause to cover any loss or damages caused by any breach of your agreement, another clause that they have read, understand and agree your privacy policy and very importantly they agree in advance to any changes during the term that may be required for the privacy police to meet state and federal requirements. They will need to sign your agreement and your privacy policy in front of independent witness(s).

You can also take computer security more seriously and invest in a data security review and implement the recommendations.

Will all of this stop a determined data thief? The answer is no it won't. However it will assist you in any legal action, particularly injunctive relief to stop them using your data.

If your bottom line is immediately effected by data theft (example a medical or health related practice) then your only hope is an injunction to stop use. For this you will need a minimum of $50,000 up front and an ability to offer surety over the thief's costs. If your contracts don't stack up on the rights over data and most don't, you'll lose.

Example: If an insider collects the business cards of your customers whilst working in your premises for a couple of years, sends change of address emails/SMS's alerting those persons he is now working for a competitor and then resigns from you two days later, according to the Supreme Court that's all on the up and up. In this particular case, after rushing the hearing the judge took 14 months to hand down his decision in favour of the insider. It must be our convict heritage . . . or am I missing something.

If you need assistance with your agreements we can help point you in the right direction.

Friday, 13 March 2015

Data Theft - Once you know, it’s too late!

We have progressed to a near fully digital work environment. Any employee with some computer knowhow has the potential to find themselves in a folder they should not be in and taking information out of it.

The reality is, even if you have a sophisticated security, monitoring and tracking system in place across all the computers and mobile devices in your business, you are unlikely to be able to prevent an employee, partner, consultant, or contractor stealing your data.

Big companies spend hundreds of millions of dollars to protect their data and they can’t even stop it. Job function more often than not requires you to provide access and even limited access won't stop a determined thief. So there’s little chance that SMEs will have the resources or access to knowledge about what they can realistically do.

So, the real issue in relation to data theft is to do the best you can to make it harder for someone to steal your data because you are unlikely to find out until it’s too late. And less than a minute after an event is too late. Data can be copied by an employee and gone from your business in literally seconds.

Some examples of data theft
A top sales person could take all your business leads and customer contact details to use when they commence work for another company. You might not find out about this until some of your existing customers don't renew their spend with you or when a good customer calls to let you know an ex-employee is trying to win their business.

An agent in your real estate business make take client and or rent roll information and the like and either set up on their own or, more likely move to a competitor.

A doctor or other health professional in your medical practice, who requires access to patient files as a part of their job function in fact by law has to have access, could copy all the information in the patient files, leave your practice and take your patients with them. When would you know? When he doesn't turn up for work the next day to see a waiting room full of patients? Or will it be a patient contacting your office about a change of address text or email they received 5 minutes after the doctor left your center after days work.

The value of Patients contact information is often underestimated. To an identity thief it is the most valuable of all personal data. Contractors and employees have walked away with their employers patient data just before their months pay was to hit their bank account. Why wouldn't they wait until they got paid before stealing the data? Because an opportunity to steal and leave with a valuable customer list presented itself and was worth risking not getting their pay.

A common response from all the above is that it’s illegal, the information is the company’s/firm/practice. Firstly its not illegal in Australia for an employee to steal data and do you really think the person stealing the information cares? In fact they probably feel entitled to some if not all of it.

In for a penny in for a pound
In a recent case a Chiropractor not only stole the contact information of patients he had treated he stole all of his work mates patient contact information as well, 10's of thousands of patients were effected. This ethically challenged individual provided a hacker with his login to get past the levels of security that had prevented him being able to even see let alone copy patients contact details. Now this would have to be illegal! You think! In Australia even this act of fraud is not illegal. How long had he worked for his employer? Over 12 years.

Ah, people say, we have non-compete clauses and other restrictive covenants and we can sue the person for theft, our clients/patients/customers would not leave. Guess what? Have you ever tried pursuing someone through the courts in relation to a breach of confidence, non-compete clause or theft? I have. It costs 10's of thousands just to launch an action and you won't get any change out of another hundred thousand dollars (very likely more) to run a case that may take between 1 and 4 years to get through the court process and then the outcome is not at all certain.

And guess what? The thief can ask the courts for you to provide surety over their costs and damages. In many cases and particularly in the health industry the theft of customer data has already affected your cash flow, you are not covering your business expenses and now you are having to fund a protracted court action. You can stop the thief using your data immediately with an injunction the lawyers will say. You can of if you've got a lazy $80k lying around. Add at least another $50k for surety over the thief's costs. This is big end of town stuff, small business cannot possibly afford these types of actions.

Meanwhile, under a new privacy amendment introduced in 2014 you as the business owner could also be liable for a hefty fine from the Privacy Commissioner and soon it may also be compulsory to notify every one effected by the theft, a huge resource taxing task on its own. The employee who stole the data in the first instance is not covered by the amendment or any other part of the Privacy Act. Yep, that's right they get away scot-free. You can blame ex Labor minister Ms Nicola Roxon and her bureaucrats for that added kick in the guts.

In an earlier post I described what happens when you notify your customers their personal data has been compromised. Your phones will run off the hook with customers ringing to see what information the thief got and most of the callers will be abusive because to them it was the company that didn't protect their information. Its a fickle world out there in consumer land. Many customers will follow the theif and many others will leave because you have bad security. If you couldn’t keep their records safe the first time round why should they trust you.

On top of all this if your business has been the victim of data theft you are also now facing another reality, particularly if you öwn a medical practice, "copy cat theft". I will cover this in a future post.

There are some things you can do to minimise the risks through employee contracts and your privacy "agreement" with customers. There are also things you can do using off the shelf security products and monitoring staff behaviour. I'll also be covering some these in future posts.

Experienced data theft in your business? Send us Your Story.