Sunday, 8 March 2015

Who is a Data Thief?

So who’s the thief? Well the bad news is that it could be anyone and they certainly won’t be wearing dark glasses, a hoodie and sloping around your office – although some of your current employees may dress like this.

A data thief is anyone. Your business partner, senior executive team member, employee, tech-support person, contract sales person, a locum, the employed or contracted health care professional, the admin manager, cleaner, yes even the cleaner ‘could have dunnit.’ Anyone with authorised and unauthorised access to your computer system could steal information from it.

Unauthorised access? In a data theft case in 2010 a Sydney massage therapist used the receptionists login to download the medical centres patient list to a disc after she had asked him to watch the front desk while she went to the the bathroom. He had worked at the centre for over 6 years and was highly regarded by his peers. He used the stolen patient information to start a massage therapy practice less than 75 metres from his employer. He was reported to Police and the ATMS. Nothing came of those reports because he had authorised access to "the premises".

Data Thieves only need the desire, some knowledge of the systems, most times the password/s (many people still use the word ‘password’ as their password), the opportunity and the time to plan their move. In a very recent case a graduate Osteopath, contracted as a locum, collected business cards or mobile phone numbers from the medical centres patients. After compiling a large list he used it to secure a position with a competitor and then contacted the patients in a series of change of address txts. Two days after sending out the txts he resigned from his former employer. According to a Judge in the Supreme Court this behaviour is acceptable and found in the Osteopaths favour.

The reality is, there is such a thing as a typical data thief and some common traits that can provide some, and I mean some, insight to who might be a data thief.

Research shows that a data thief will usually feel entitled to the information and are disgruntled for some reason. They might feel entitled because they helped to create it, therefore they have some ownership of it or entitlement because other people in the company are doing it, or because they know the company won’t be able to find out it was them or even if they did won't have the financial means to go after them.

They also might have ambitions of their own. They might want to start their own business, in which case planning the data theft probably started weeks or even months before they walked out the door. De-risking a start-up is one of the most common reasons for data theft particularly by healthcare professionals. It takes many years, a huge investment in cash and resources to build a medical practice to the critical mass required to be profitable.

Stealing the patient list and sending a change of address series of emails and txt's is a very quick way of ensuring the data thief will have patients when they open the doors of their new practice. Most patients will just think the emails and txt's are a courtesy to inform them the practitioner they have been seeing has moved to a new location and will not be aware of the restrictive covenants covered by most healthcare professional employment and sub-contractor agreements.

The ‘typical data thief’, will most likely be a current employee, male, in their mid 30s and requires access to meet their job-function. Interestingly, in 75% of reported cases, the data thief had authorised access to the data – so you can forget trying to report them to Police or any other authority.

This last point is where the cleaner comes in. If the cleaner has authorised access to the floor/office your computers are in and steals data only from those computers you’ll be hard pressed getting Police or any other authority involved because he had authorised access to the premises. Perhaps this is where the true meaning of the phrase, ‘being taken to the cleaners’ comes from.