Saturday, 6 October 2012

Your Company's most valuable asset - 'data'

For many businesses data, usually secured on a computer, is their most valuable asset. A sudden change or loss of this data can be financially devastating which is why backing up data is so important. Backups however do not account for data theft by an employee.

Some research on data theft will point toward section 308H of the Crimes Act 1900 (NSW), Summary Offences Act 1966 section 9A (Vic) and similar legislation in other states, The Criminal Code Act 1995 and The Commonwealth Copyright Act. However Police will not charge persons who are employed or who have been provided access to a business by an employer. There is no legislation that will allow Police to charge persons who misuse authorised access to steal data.

In the health industry, where the ethics of healthcare professionals should be sacrosanct, the governing body, the Australian Health Practitioner Regulation Agency (APHRA) and its various National Boards (Medical, Chiropractic, Osteopathy, Physiotherapy, etc), treat the act of stealing a patient database and removing it from a medical facility, without authorisation or the written permission of patients, as an “industrial dispute”.

In other words this type of theft does not breach the ethical requirements of membership of Australia’s governing healthcare boards, leaving the civil courts as the only available option for medical practice owners to seek justice.

Patient health records are one of the most prized of all types of data to identity thieves. An organised identity thief will pay a few dollars, per patient record, just to get hold of the data and there are numerous clandestine websites, where a disgruntled employee, blessed with immunity from prosecution, can upload a data base in seconds. Even a small medical practice can have upwards of 20,000 individual patient records.

Most occurrences of unauthorised removal of patient data from a practice don’t end up with an identity thief and hopefully this continues to be rare. However if an ethically challenged healthcare professional is prepared to lower their moral standing to such a level as to steal from their employer, when the passing of patient identifying information to an identity thief does occur who would know?

Greed is good, said Gordon Gekko and it is greed that drives the ethically challenged to breach their agreements and steal data from their employer.

More often it is done to help them negotiate a more lucrative position with a competitor or to assist them start their own business. Most medical practice owners will actually reject employment applications if they know they are coming with stolen patient data. Apart from the moral and ethical issues, there will always be a concern having done it once the thief will likely do it again.

Usually these morally bankrupt individuals will start their own practice using the data and relationships they have built with patients, while at their previous employers, to lower the risk of starting a new business and to keep their lucrative salary intact.

Organising premises in close proximity to their previous employer, contacting the patients by SMS and e-mail, to let them know their practitioner has moved and inviting them to make their next appointment with them, is all that is required to start the new practice. The usual business risks and investment associated with starting a new practice and the many years required to developing it to a lucrative business have now been reduced to virtually zero.

Under the guidelines of The Office of the Australian Information Commissioner (OIAC), incidences of data theft require business owners to immediately notify effected consumers their data may have been compromised.

In the case of healthcare, patients believe or want to believe their practitioners explanation for moving on from their previous employer and will be happy to continue the relationship with the thief. Involving Patients in a dispute between a practice owner and their healthcare professional by notifying them of a breach serves no purpose other than to potentially further alienate the patient.

Abiding by the guidelines of the OIAC and notifying patients raises the question of security and more often leads to complaints and abusive calls to the practice enquiring how their information was compromised in the supposedly secured environment indicated in most medical practice privacy policies.

And it raises the question of the patient’s rights to see whomever healthcare professional they choose, which is not the intended purpose of a breach notification. The notification is viewed as resentment by an ex-employer.

One misleading and deceptive post on a blog by a healthcare professional justifying theirs and others theft of patient data from their employers, following a breach notification, was published as follows:

“The patient’s relationship is with the practitioner, and therefore the owner (or custodian) of those records (“goodwill”) is that practitioner. A clinic is a shell, building, cash collection service, but your relationship will always be with your health care worker, not the receptionist or the practice owner.”

The author of this post used an unsuspecting receptionist’s login to dump the patient database onto a USB drive and remove it from his employers’ healthcare centre.

This same practitioner was originally hired, to see the patients of a medical practice that had already been operating for many years before he started. It wasn't he who hired the practice to provide its management and office related services as indicated in his post. After many years and thousands of dollars invested in marketing and resources by the owners to build the practice he stole the patient database to start his own practice.

This is a typical example of fraud and theft by an unprincipled person and the moral compass by which they navigate their business life. They justify their morally bankrupt behaviour by illuminating the patient’s relationships with the practitioner.

In this and many similar cases it is never a question of the patient’s rights to see whomever they choose it is the deceitful methods used to steal a well established and thriving practice. Most agreements between the healthcare professionals and their employers contain restrictive and enforceable covenants including geographic and enticement provisions for an agreed period, usually 12 months.

Geographic provisions in healthcare agreements include not practicing with a competitor or start a practice within an agreed radius of the employer and enticement provisions include not enticing patients or staff away from the employer. In the example of data theft, by the author of the misleading post above, the value of the practice stolen by him was over $500,000.00.

With the lack of legislative support for Police to charge a person or persons who “misuse authorised access” to steal data business owners are left with few alternatives than to chase down these individuals in the civil courts. Prosecuting civil cases can cost hundreds of thousands of dollars and may take years to complete. In most cases the thief is rarely pursued providing additional incentive for employees to commit fraud and is likely a primary reason for the data theft epidemic in Australia today.

Commercial lawyers advise business owners to make sure employment agreements are robust particularly on data ownership, security and restrictive covenants. However even the most binding contract requires business owners to prosecute the thief civilly so it can’t be relied upon to stop data theft by unethical employees occurring in the first instance.

Business owners still need deep pockets, persistence and a willingness to pursue the thief in the civil courts when insider theft of data occurs. In some cases the theft will devastate a business financially making it impossible to take on the added expense of litigation. An injunction and surety over costs runs to over $200,000.00. Expected total costs of civil proceedings will usually exceed $200 – $250,000.00.

Even if business owners have the money, time and persistence to head off to court they will be distracted from running their business and frustrated by the legal process. Whilst business owners are head down trying to rescue the business from the financial effects of the theft and with the added burden of running an exasperating costly legal challenge the thief is enjoying the benefits of his prize using some of the revenue he has stolen from the business to defend themselves.

To add to the frustration the thief may have no assets in his name so regardless of any judgement against them compensation for legal costs, the theft and damages is unlikely.

In the data theft example provided above the affected business was advised not to pursue the thief purely on commercial grounds. The individual concerned had no assets to speak of so prosecuting the case was going to be a pointless waste of money, time and resources.

However, not prosecuting in this case left the door open for the thief to publish misleading and deceptive information to patients supporting the deceit perpetrated on their ex-employer further affecting the business, its owners and employees.

If your primary asset is data you need to examine every possibility for theft to occur from within your business even with your most trusted employees in addition to building a paper wall around the asset. Make it a priority to have very specific agreements covering data with employees and take out cyber theft insurance. There are a number of insurance companies now providing cover for cyber-crime.

Related Articles