Sunday, 1 June 2014

Insider Data Theft - Is your business safe?

Insider data theft incidents are to be taken seriously. In this digital information age, it has become increasingly important to protect your company's intellectual property. In many business cases IP will be the the most valuable asset on the company's balance sheet. 

Job function often requires authorised access to IP assets and it is the misuse of this access that provides the keys to the safe.

One of the most common data thefts is the copying or removal of customer lists by an employee for use at their next job which often is a competitor or to help start a new business as a competitor. It happens so often in Australia that it is almost an accepted norm. In many instances part or all of the employers customer list will be on a company provided mobile device or a BYOD.

Ex-employees often believe they have entitlement to customer lists or other IP if they have contributed to it whilst working for their employer. However, despite this misguided belief, they rarely ask their employer can they remove or copy this information before leaving with it.

Data can be disseminated in seconds and once IP has left the building the encore can be financial devastation for company owners, employees and their families regardless of any legal remedies available to the employer.

Often, following a data theft, ex-employer customers are contacted within hours of an insider leaving their previous employer. The contact is usually by SMS, email or both sent to inform the customer of a change of address for their service or product provider.

It is rare the customer would think any more of the email or SMS than it is a courtesy to update their address book. In a recent case the data thief used her ex-employers company name as part of the reply address in an email to the stolen customer list and built a web page including the ex-employers company name throughout the text. According to personnel at ASIC and Fair Trading this is not regarded as a serious enough matter to investigate for passing off or deceptive conduct.

Unlike embezzlement there is no preventive threat of a fraud charge for the insider data thief. The only recourse is the civil courts, a lengthy often prohibitively expensive road to justice.

In Australia theft of IP by insiders is not a crime. There is no legislation that provides State or Federal Police with powers to charge ex-employee data thieves and complaints to Governing Regulatory Authorities or Associations will be lucky to receive a response let alone a reprimand or some form of sanction for the data thief.

In fact, under recently introduced amendments to the Privacy Act, you and or your business may be heavily fined, by the Privacy Commissioner, for not providing adequate security, over customers personal information whilst the data thief remains immune from prosecution.

Industries most effected by data theft are health, real estate, online shopping, accounting and legal to name some. However all businesses with valuable IP can be at risk of insider data theft.

Pre-planning and developing policies, security measures and employee / contractor agreements are key to preventing or responding to an insider threat or intellectual property theft.

If you need assistance in data theft prevention contact us.

No comments:

Post a comment

Our moderators will publish appropropriate comments within 24 hours.