Monday 31 December 2012

Privacy Commissioner Timothy Pilgrim Goes on Uninformed Power Trip.

The Australian Privacy Commissioner, Timothy Pilgrim, has urged all organisations, both public and private, to review the new principles and warned that his office will have substantially boosted powers to enforce the laws and exact penalties for any breaches.

“From the commencement of the new laws, I will be able to accept enforceable undertakings, seek civil penalties in the case of serious breaches of privacy, and conduct assessments of privacy performance for both Australian government agencies and private sector organisations,” Mr Pilgrim said.

“While I will continue to work with agencies and businesses to help them comply with privacy laws, I will not shy away from using these powers in appropriate cases.”

What this means for healthcare providers is that all organisations should review their privacy policies now, as they will be required to have a written statement, according to a briefing note by Corrs Chambers Westgarth partner, David Smith, and senior associate, Matthew Craven.

It also means they should look at boosting their IT security arrangements to ensure a breach does not occur, security experts say.

Read More of this story by Kate McDonald at Pulse+IT

Data Theft Australia's Response

The overt blustering by The Australian Privacy Commissioner, Timothy Pilgrim, that his office will have substantially boosted powers to enforce the laws and exact penalties for any breaches is a typical knee jerk response to a critical problem facing all consumers.

Characteristically the introduction and passing of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 falls well short of the mark primarily due to the ignorance of its supporters on both sides of the parliament and particularly The Attorney General, Nicola Roxon and The Health Minister Tanya Plibersek.

Health Minister, Ms Tanya Plibersek, Ms Roxon as former Health Minister and again as the Attorney General have been made aware, on numerous occasions, of the lack of legislative powers for Police to charge employees who compromise data and more particularly healthcare providers and medical centre patient data.

Ms Roxon has even admitted, at a Canberra Press Conference, that the greatest threat to data security within Government is corrupted public servants. Recent surveys have also indicated that over 70% of data thefts within private sector organisations are committed by insiders.

Another meeting with senior Fraud Squad Detectives in Sydney, on Wednesday December 19, 2012 confirmed Police are powerless to charge employees who steal personally identifying data from health care providers.

With so many people effected by such an insidious act of theft including patients, business owners, employees, their families and suppliers governments have to take a much more serious look at passing legislation that will allow Police to charge employees responsible for data theft.

Mr Pilgrim should spend more time actually uncovering what the real issues are rather than postulate how much power he now has.

Thursday 20 December 2012

Senior Fraud Squad Police confirm there is no way to charge data thieves

A meeting with senior Fraud Squad Detectives in Sydney yesterday has confirmed Police are powerless to charge employees who steal data from their employers.

Whilst state and federal ministers and bureaucrats, on both sides of parliament, have written to us or responded to correspondence from us promoting existing legislation under the Crimes Act, the Privacy Act and Copyright Acts there remains absolutely no legislation in any state or federally that will allow Police to charge for theft of data by an employee or for that matter any person who has authorised access to a business.

The meeting confirmed that regardless of the level of security over a database and extensive agreements between employees and employers any theft of data can only be handled in the civil courts.

The costs associated with any civil court action disqualifies most small businesses from seeking the loss and damages caused by this type of fraud providing total immunity for the thieves. Even for those businesses willing to pursue a civil court action the end result could be substantial costs and no compensation due to the thief having no tangible assets or funds to pay awarded loss and damages.

With so many people effected by such an insidious act of theft including business owners, employees, their families, suppliers and customers governments have to take a much more serious look at passing legislation that will allow Police to charge persons responsible for data theft.

One recent case of data theft by employees breached the privacy of thousands of patients and shut down one of Sydney's leading sports injury centres causing staff to be laid off and loss and damages in the millions of dollars.

Police, Security and legal experts, as well as those companies affected, say the end result leaves employees feeling invincible to legal threat or recourse.

Wednesday 12 December 2012

Open Letter to Politicians - Data Theft by Employees

Good morning all Politicians,

If an employee has access to confidential information that can be used for identity theft they may decide to use this information themselves to make purchases, pass it to a competitor, set up a competitive business or pass it to an identity thief.

Recent changes to the Privacy Act (Privacy Amendment - Enhancing Privacy Protection Bill 2012) could see the employer heavily fined for breaches of privacy yet the employee remains totally immune from prosecution.

A recent multimillion dollar data theft from a Sydney based sports injury facility cannot be investigated by Police as there is no legislation that will allow them to charge the persons involved despite the weight of evidence available to them.

Thousands of patients were compromised and under the guidelines of OAIC were notified of the breach. Under the recently enacted 'Enhancing Privacy Protection Bill 2012' the centre could be liable for heavy fines (as of march 2014) yet the data thieves continue to remain immune from prosecution.

The Attorney General Nicola Roxon, the Minister For Health Tanya Plibersek and much of the business community are completely naive to the fact there are absolutely no laws which will allow Police to charge employees who steal critical data assets.

Both Ms Nicola Roxon and Ms Tanya Plibersek continue to insist employees can be charged under the Crimes Act 1900 section 308H and have replied to our correspondence accordingly.

We have been writing to both these ministers for over two years including providing correspondence from NSW Police which confirms that 'employees cannot be charged' under the Crimes Act or any other current legislation if they steal data from their employer.

Recently Ms Roxon admitted, at a Canberra Press Conference, that the greatest threat to data security within Government is corrupted public servants. Recent surveys have indicated that over 70% of data thefts are committed by insiders.

We hope that you may be able to help champion a lobby to correct this huge gap in legislation which is costing business billions of dollars and breaching the privacy of literally millions of Australians.

We look forward to your support for the introduction of legislation that will allow Police to charge employees who steal critical data assets from their employer.

Kind regards

Brad Robinson
Data Theft Australia
Data Theft on Google +

Data Theft by Employees Community

Tuesday 11 December 2012

Small businesses suffer from theft of data

By Australian Financial Review's James Hutchison

Small businesses have called for tougher criminal ­penalties for former employees who steal or leak sensitive company information, as experts warned that ­millions in losses had arisen from increased data theft since the global financial crisis.

Figures from research firm Ponemon showed data theft has continued to be a major pain point for all businesses, with insiders – former employees or contractors – responsible for a third of all information breaches last year. These breaches were the result of either an employee’s negligence, or malicious attempts to siphon data from the business for personal gain.

The Australian businesses surveyed by Ponemon spent an average of $US2.27 million last year dealing with these breaches. Data theft investigators and security consultants said incidents had increased since the global economic downturn, particularly in the construction sector, as employees became desperate to win contracts or personally benefit from the business.

One consultant said the “law is silent” on corruption and data leakage in the private sector.

Continue here to read the rest of the article . . . .

Tuesday 27 November 2012

Privacy commissioners seek greater power as breaches increase

Privacy commissioners of Australia and New Zealand said they need more enforcement authority to combat data breaches and other privacy concerns.

Whilst we agree data breaches can be a cause of identity theft it is the lack of legislation that will allow Police to charge employees who steal data and breach privacy that is at odds with the commissioners enforcement requirements.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, "One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants".

Data theft by employees is at epidemic levels and continues to increase. Imposing hefty fines on a small business due to a security breach by an employee only serves to further damage the effected business and does not prevent continuing occurrences.

Employees are completely immune from prosecution by Police if they steal data or any IP belonging to the company they are employed by.

There are civil remedies however a small to medium size business, whose primary asset is data, is usually so financially devastated by such a theft they cannot afford to fund litigation. The thief benefits from the theft, breaches the employers privacy policy with its customers and potentially causes additional loss for the business when it is fined under the proposed Bill.

To injunct a thief costs about $50,000.00 plus an additional surety over costs of up to $150,000.00. Most small businesses cannot afford this impost and the distraction of a usually protracted legal battle.

If the proposed Bill is to have any impact at all it must be supported by legislation that will allow Police to charge employees who misuse authorised access, to a computer or computer system, to steal data from their employers.

Most businesses, including big business are completely unaware that if an employee, or in fact anybody who has been provided access to their business steals data, they cannot be prosecuted by Police.

Tuesday 20 November 2012

Cyber-Ark 2012 Trust, Security and Passwords Survey

Cyber-Arks annual global IT Security Survey was released in June 2012. Here are some key conclusions:

Privileged accounts are increasingly being targeted in enterprise assaults – regardless of the attack entry point :
  • 71 percent of respondents consider insider threats to be the greatest security risk to their organisation.
  • 29 percent cite external threats, including targeted cyber-attacks and opportunistic hacks.
  • 64 percent of respondents believe that the majority of recent security attacks have involved the exploitation of privileged account access.

Recent high-profile security attacks, such as the RSA and Global Payments data breaches, have made an impact on security strategies this year:

When asked if they were rethinking security strategies based on these high profile breaches, more than half said yes (51 percent).

Respondents were asked to rank their 2012 IT security priorities in order of importance:
  • Vulnerability Management (17 percent)
  • Privileged Identity Management (16 percent)
  • Security Information and Event Monitoring (SIEM) (15 percent)
  • Anti-Virus/Malware (13 percent).

Despite growing awareness of the privileged connection in cyber-attacks and the increasing insider threat, some businesses are failing to uphold their responsibility for securing customer and similar sensitive information:
  • 43 percent of respondents stated that their organizations do not monitor the use of privileged accounts or were unsure of whether they did.
  • Of those organizations that monitor privileged access, 52 percent of respondents believe they can get around the current controls.

Current legislative and regulatory efforts to curb data breaches have proven ineffective to date:

When asked if data breach notification laws are effective in curbing data loss, 72 percent of respondents stated no, while only 28 percent stated yes.

The perception of the insider threat as the greatest security risk is driven by continued unauthorized access to sensitive information:
  • 45 percent of respondents indicated that they have access to information on a system that is not relevant to their role.
  • 42 percent of respondents indicated that they or a colleague have used admin passwords to access information that was otherwise confidential.
  • 55 percent of respondents believe that competitors have received their company’s highly sensitive information or intellectual property.

See the full survey here (pdf)

Friday 26 October 2012

Compulsory data-breach notification will do nothing to protect Australians

Attorney General Nicola Roxons' proposed compulsory data breach notification does not address the real issues facing Australian consumers and business. There is no evidence that compulsory notification will protect Australians and frankly any notification of a breach is usually too late anyway. If there is going to be compulsory notification there also needs to tough legislation to deal with the persons who steal the data.

An insider stealing data causes the company to breach privacy and potentially subjects the company to huge fines under the proposed Compulsory Notification Bill. What happens to the the thief? At the moment nothing if the thief is an employee of the company!

ADMA CEO Jodie Sangster's recent revelation: “A drop of 18 % for a total of 46 notifications in the year could equally suggest that companies have responded well to his office’s advice on preventing data breaches” is ignorant of the facts.

Many data-breaches are never reported by business owners.

Under the privacy commissioner's current guidelines persons affected by a data breach should be notified immediately. More often the person receiving the notice contacts the company to question their level of security and to find out what of their information has been compromised.

Recently a Sydney CBD medical practice, under the guidelines of the privacy commissioner, notified patients their data may have been compromised. The notification prompted thousands of abusive calls from patients questioning the centres security with many saying they would never return. In this case patient data was compromised by a long term employee who had conspired with three others to 'misuse authorised access' to steal the patient database.

Business owners who know of or have heard of similar experiences will avoid notifying their customers of data-breaches. The 18% drop in total notifications is not a reflection on ADMA's advice, it is the fear of the detrimental short and long term effects on a business a data-breach report may have.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, "One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants".

Insider theft of personally identifying information (PII) is at epidemic levels in Australia and will remain so until legislation is passed that will allow Police to charge employees who steal data. PII is very often a business's most valuable asset and for many is valued in the millions of dollars. If an employee embezzled the same value in cash they would be charged by Police and likely receive a custodial sentence.

If the Attorney General is at all serious about reducing the incidence of data breaches then she needs to propose adequate legislation to protect business and Australian consumers from insider fraud, the most common of all data breaches.

Submitting a band aid Bill that will have little if any effect on preventing data-breaches is ill conceived and falls well short of providing the protections required to meet increasing levels of insider data-breaches.

Tuesday 16 October 2012

The Dangers of Identity Theft


Identity theft is the act of stealing your personal information to commit fraud. It usually involves money, but the scariest part about the crime is the damage it inflicts on the victim’s credit record and good name, which takes years to build and/or repair.

To give you a better idea on the dangers of identity theft, here are a few of its effects:

Effects of Identity Theft

On your finances
If you’re victimised by an identity thief, one of the first things that are affected is your finances. The thief could do a lot of damaging things like file a loan in your name, duplicate your ATM cards and get all your money in the account or worse—make counterfeit cheques using your account. When that happens, you have a lot of explaining to do with your financial institution.

On your credit card
Identity thieves have been known to change the billing address of a victim’s credit card to keep their quarry from receiving monthly statements and finding out that the card is being used fraudulently. Thieves may also get a new credit card under the victim’s name. Naturally, the thief doesn’t pay the bill, affecting the victim’s credit report.

On your utilities
It’s the same thing here. Thieves can get a new mobile phone account or another utility service under your name then run up the charges.

On your government documents
Here’s when it turns into a spy flick gone bad: A thief gets your official ID cards (e.g. driver’s licence, social security) under your name but with their picture. With these important documents, a thief can steal your name and benefits, and get you into more trouble by filing a fake tax return.

How to Protect Yourself from Identity Theft

Here are a few suggestions on how to protect yourself from having your identity stolen:

Beware of what you're clicking
If you’re not familiar with the link, don’t click it. If you’re asked to enter any personal information, double-check the site first since there are duplicates out there that try to fool you into entering sensitive data like credit card or account numbers. If your friend’s e-mail looks suspicious because it only contains a link, don’t click the link—and tell your friend his account may have been hacked.

Change passwords regularly
Make sure you change your passwords every so often, perhaps every month or three. And see to it that the password for each account is different. If a thief steals your only password, even if it’s a strong password, your online data is in trouble. When you do change your passwords, make sure they’re stronger than "password".

Leave important documents at home
Unless you need your important documents for a specific purpose, leave them at home. In the wrong hands, these documents could be very damaging to you; perhaps even more destructive than financial thefts because your entire identity could get stolen. Money and credit can be earned back, but mistaken identity could land you in jail.

Tell your bank when you're on a trip
Remember: It’s important to inform your financial institution about a trip abroad because purchases beyond our location are considered unusual and are often declined by credit card companies.

Avoid mobile
Mobile bills payment may be convenient, but it would be safer to conduct these kinds of transactions in your own Wi-Fi network, just in case. It’s better to be safe than sorry.

Monday 15 October 2012

Employer successful in $500,000 claim for breach of contract against employee

Source Cooper Grace Ward

The New South Wales Supreme Court has awarded financial broking company, Tullett Prebon (Australia) Pty Ltd, more than $500,000 damages after a finding that its former employee had breached their employment contract.

The employee was engaged as a broker with the Company for a fixed term of at least two years. Some 15 months before the end of the contract, the employee resigned his position.

The Company refused to accept the employee’s resignation and instead invoked the ‘gardening leave’ provisions of the contract, and advised the employee he would not be required to attend work, but would continue to be paid his base remuneration.

Despite this, the employee immediately commenced work with a direct competitor of the Company.

The employment contract contained a restraint of trade provision, that prevented the employee from working for a competitor or soliciting clients or employees until the end of the fixed term, or for a period of three months’ after the termination of his employment.

The Company sought an injunction to prevent the employee engaging in this conduct for a period extending until the end of the fixed term contract - which was not due to expire for a further 11 months.

However, the Court considered this timeframe was unreasonable but granted an injunction for six months from the date the employee gave his resignation.

The Court noted that, while the employment relationship had ended, the employment contract remained on foot unless the Company accepted the employee’s resignation.

Two days before the injunction was due to expire the Company issued the employee a letter directing him to attend for work the following week. The letter advised him that, if he failed to do so, he would be in breach of his contract and would give the Company grounds to terminate the contract.

The employee did not respond to the letter and instead, re-commenced work with the Company’s competitor.

On this basis, the Company terminated the employment contract and instituted proceedings against the employee relying on a clause within the contract that permitted the Company to seek liquidated damages if the employee breached or repudiated the contract.

To be successful, the Company had to establish that, although the employment relationship had ended, it was still able to give the employee a direction to attend work and that the failure to attend was a repudiation that triggered the liquidated damages clause.

In addressing this issue, the Court found that, while the Company did not have the power to unilaterally reinstate the employment relationship, it was entitled to require the employee to make a final decision as to whether he wished to resume employment.

If he chose not to, this would be a fresh repudiation of the employment contract and would therefore entitle to the Company to bring the contract to an end.

The judge found that this was in fact what had occurred, and therefore found that the Company could invoke the right to claim liquidated damages under the contract.

The employee argued that the damages clause was penal in nature and therefore unenforceable as it was not a genuine pre-estimate of the Company’s damages taking into account the fact that the employee would most likely have been replaced by another broker.

The calculation set out in the clause was however, considered to be standard practice in the broking industry. Evidence was provided by the Company that, in the time the employee was absent from work, a loss of approximately $400,000 had been sustained.

Based on this comparison, the calculation provided for under the contract was held not to be “so extravagantly out of proportion to the loss as to attract the doctrine relating to penalty”.

The employee was ordered to pay $503,100 plus interest and costs. The employee has indicated that he will consider appealing the decision.

Friday 12 October 2012

Accountant ordered to pay damages for using confidential information to poach clients

Source: Belinda Winter Partner, Cooper Grace Ward Lawyers

The New South Wales Supreme Court has ordered an accountant to pay $117,995 in damages after he used his former employer’s confidential information to poach at least 776 clients.

In 2002, Mr Denis Cummins, an accountant, sold his practice to Commercial & Accounting Services (Camden) Pty Ltd (Company). Following the sale, Mr Cummins continued to work for the Company 17 hours per week. The agreement for sale contained a clause that restrained Mr Cummins from competing against the Company for a period of at least 3 years within the radius of 10 kilometres from the business address of the Company’s accounting practice.

In early 2009, Mr Cummins told the Company that he would end his employment on 30 June 2010 and that he intended starting an accountancy practice in competition with the Company.

By agreement, the parties ended Mr Cummins’ employment early on 30 June 2009. Mr Cummins communicated to the Company that he intended on taking ‘a half dozen or so clingy clients’ and this was agreed to by the Company.

On 1 July 2009 Mr Cummins wrote to an unknown number of the Company’s clients informing them that he had moved from the Company and was now practicing in his own firm. The letter contained an authority for clients to use to transfer their files from the Company to his new practice. It was claimed by Mr Cummins that the contact details for these clients were taken from memory and his own lists, and that Mr Cummins did not use any of the Company’s client lists. This was not accepted by the Court. To the contrary, the Court determined that Mr Cummins did use the Company’s client lists and that he knew that such client lists were confidential to the Company.

To determine the appropriate damages for Mr Cummins use of the Company’s confidential information, a robust approach was applied by the Court. It was determined that 75% of the loss of goodwill of the Company should be attributed to Mr Cummins actions. This was calculated to be equal to $117,995, and damages of that amount were ordered.

Lessons for employers This case highlights the importance for employers to protect their confidential information. Adequate contractual protections should be in place, via a business sale agreement and contract of employment. Further, proactive controls should be implemented to prevent the unauthorised use of confidential information.

If you do not have written employment agreements or your agreements do not contain effective restraints we can provide agreements that maximise your prospects of preventing employees taking your clients. You can contact Belinda Winter on 61 7 3231 2498 to discuss how we can help protect your business goodwill.

Commercial & Accounting Services (Camden) Pty Ltd v Cummins [2011] NSWSC 843 (3 August 2011)

Wednesday 10 October 2012

What does data theft look like?

When a business owner experiences theft of a valuable data asset it is often difficult for others to appreciate the actual effect on the business. We all think of data as bits of information in a computer so understanding what the effect of theft looks like can be difficult to picture.

We have taken an actual example of revenue, for a local Sydney Business and graphed the outcomes over 10 years including the effect of the theft of a critical data asset. The graph in the pdf below indicates when the business started in July 2003, the year on year growth and the actual and projected revenue through to June 2013.

When data theft occurs usually the effect on revenue is instant therefore business expenses have to be reduced immediately in an attempt to salvage the business. That usually means staff have to be let go and various other expenses reduced to match the remaining inflows. However expense items like rent, equipment leasing, power, phones etc. remain unchanged as do other critical cost areas depending on the business. This will invariably mean the forecast profits are downgraded to losses.

One of the expense areas most effected is marketing which has a knock on effect to all other areas of the business. Advertising is usually incrementally tied to revenue and profits, the more of both the more can be spent on marketing the business. The immediate impact on revenue, data theft has, means less dollars to market the business. In most service type businesses getting back to where the business was before the theft will take years let alone getting to where the business would have been, if the theft did not occur at all.

Example: Turnover at $700,000.00 achieved after 10 years with average year on year growth at 35%. Data theft reduced turnover for the following full year (after theft) to $152,000.00. If similar historic growth could be maintained it will take 6 years to get back to where the business was before the theft and 12 years to get to where it would have been had the business been able to continue on its original business plan.

In this example accounting for profits, damages and lost value at exit would require forensic accounting however it is well into 6 figures.

Employees stealing critical data from their employer effects everybody in the business. In addition to internal cost cutting, invariably arrangements have to made with creditors to keep the business going long enough for cost adjustments to take effect.

Data theft by employees is such an insidious crime it is actually negligent that State and Federal Governments have not introduced legislation that will allow Police to charge callous individuals who would be behind bars if they embezzled the equivalent value in cash.

Open the pdf here.

Monday 8 October 2012

Book - Stress is a choice

We received an email this morning from Mac Anderson over at Simple Truths about a special offer on a great book by David Zerfross. We felt it was worth publishing here.

Stress is a Choice
An Empty Pickle Jar

A professor stood before his philosophy class and had some items in front of him. When the class began, wordlessly he picked up a very large and empty pickle jar and proceeded to fill it with golf balls.

He then asked the students if the jar was full. They agreed that it was. So the professor then picked up a box of pebbles and poured them into the jar. He shook the jar lightly. The pebbles rolled into the open areas between the golf balls. He then asked the students again if the jar was full. They agreed it was.

The professor next picked up a box of sand and poured it into the jar. Of course, the sand filled up everything else. He asked once more if the jar was full. The students responded with a unanimous "yes."

The professor then produced two glasses of chocolate milk from under the table and poured the entire contents into the jar effectively filling the empty space between the sand.

The students laughed.

The Moral of the Story - The professor waited for the laughter to subside....

"Now," said the professor, "I want you to recognize that this jar represents your life. The golf balls are the important things...your family, your children, your health, your friends, your favourite passions. Things that if everything else was lost and only they remained, your life would still be full."

"The pebbles are the other things that matter like your job, your home, your car."

"The sand is everything else...The small stuff. If you put the sand into the jar first, there is no room for the pebbles or the golf balls. The same goes for life. If you spend all your time and energy on the small stuff, you will never have room for the things that are critical to your happiness."

"Play with your children. Take time to get medical check ups. Take your partner to dinner. Play another 18. There will always be time to clean the house or fix the disposal."

"Take care of the golf balls first, the things that really matter. Set your priorities, the rest is just sand."

This story is a wonderful reminder to focus on what is most important in our lives. And focusing on our priorities is one of the 10 Rules to Simplify Your Life in one of my favorite books...Stress is a Choice.

Many of us hurry through life going from one place to the next, focused on conquering the next mountain, making the next deal, running the next errand, and believing we will never have enough time to do all the things we need to get done, yet, there is all the time in the world if we just realize that we are the creators of this life we choose to live. That's right. Life is a series of choices and being free from stress is one of those choices.

This is a great book by author, Dave Zerfoss that has the potential to change your life! It's also a great gift for almost any occasion.

For more information or to look inside this great book, just click here.

Saturday 6 October 2012

Your Company's most valuable asset - 'data'

For many businesses data, usually secured on a computer, is their most valuable asset. A sudden change or loss of this data can be financially devastating which is why backing up data is so important. Backups however do not account for data theft by an employee.

Some research on data theft will point toward section 308H of the Crimes Act 1900 (NSW), Summary Offences Act 1966 section 9A (Vic) and similar legislation in other states, The Criminal Code Act 1995 and The Commonwealth Copyright Act. However Police will not charge persons who are employed or who have been provided access to a business by an employer. There is no legislation that will allow Police to charge persons who misuse authorised access to steal data.

In the health industry, where the ethics of healthcare professionals should be sacrosanct, the governing body, the Australian Health Practitioner Regulation Agency (APHRA) and its various National Boards (Medical, Chiropractic, Osteopathy, Physiotherapy, etc), treat the act of stealing a patient database and removing it from a medical facility, without authorisation or the written permission of patients, as an “industrial dispute”.

In other words this type of theft does not breach the ethical requirements of membership of Australia’s governing healthcare boards, leaving the civil courts as the only available option for medical practice owners to seek justice.

Patient health records are one of the most prized of all types of data to identity thieves. An organised identity thief will pay a few dollars, per patient record, just to get hold of the data and there are numerous clandestine websites, where a disgruntled employee, blessed with immunity from prosecution, can upload a data base in seconds. Even a small medical practice can have upwards of 20,000 individual patient records.

Most occurrences of unauthorised removal of patient data from a practice don’t end up with an identity thief and hopefully this continues to be rare. However if an ethically challenged healthcare professional is prepared to lower their moral standing to such a level as to steal from their employer, when the passing of patient identifying information to an identity thief does occur who would know?

Greed is good, said Gordon Gekko and it is greed that drives the ethically challenged to breach their agreements and steal data from their employer.

More often it is done to help them negotiate a more lucrative position with a competitor or to assist them start their own business. Most medical practice owners will actually reject employment applications if they know they are coming with stolen patient data. Apart from the moral and ethical issues, there will always be a concern having done it once the thief will likely do it again.

Usually these morally bankrupt individuals will start their own practice using the data and relationships they have built with patients, while at their previous employers, to lower the risk of starting a new business and to keep their lucrative salary intact.

Organising premises in close proximity to their previous employer, contacting the patients by SMS and e-mail, to let them know their practitioner has moved and inviting them to make their next appointment with them, is all that is required to start the new practice. The usual business risks and investment associated with starting a new practice and the many years required to developing it to a lucrative business have now been reduced to virtually zero.

Under the guidelines of The Office of the Australian Information Commissioner (OIAC), incidences of data theft require business owners to immediately notify effected consumers their data may have been compromised.

In the case of healthcare, patients believe or want to believe their practitioners explanation for moving on from their previous employer and will be happy to continue the relationship with the thief. Involving Patients in a dispute between a practice owner and their healthcare professional by notifying them of a breach serves no purpose other than to potentially further alienate the patient.

Abiding by the guidelines of the OIAC and notifying patients raises the question of security and more often leads to complaints and abusive calls to the practice enquiring how their information was compromised in the supposedly secured environment indicated in most medical practice privacy policies.

And it raises the question of the patient’s rights to see whomever healthcare professional they choose, which is not the intended purpose of a breach notification. The notification is viewed as resentment by an ex-employer.

One misleading and deceptive post on a blog by a healthcare professional justifying theirs and others theft of patient data from their employers, following a breach notification, was published as follows:

“The patient’s relationship is with the practitioner, and therefore the owner (or custodian) of those records (“goodwill”) is that practitioner. A clinic is a shell, building, cash collection service, but your relationship will always be with your health care worker, not the receptionist or the practice owner.”

The author of this post used an unsuspecting receptionist’s login to dump the patient database onto a USB drive and remove it from his employers’ healthcare centre.

This same practitioner was originally hired, to see the patients of a medical practice that had already been operating for many years before he started. It wasn't he who hired the practice to provide its management and office related services as indicated in his post. After many years and thousands of dollars invested in marketing and resources by the owners to build the practice he stole the patient database to start his own practice.

This is a typical example of fraud and theft by an unprincipled person and the moral compass by which they navigate their business life. They justify their morally bankrupt behaviour by illuminating the patient’s relationships with the practitioner.

In this and many similar cases it is never a question of the patient’s rights to see whomever they choose it is the deceitful methods used to steal a well established and thriving practice. Most agreements between the healthcare professionals and their employers contain restrictive and enforceable covenants including geographic and enticement provisions for an agreed period, usually 12 months.

Geographic provisions in healthcare agreements include not practicing with a competitor or start a practice within an agreed radius of the employer and enticement provisions include not enticing patients or staff away from the employer. In the example of data theft, by the author of the misleading post above, the value of the practice stolen by him was over $500,000.00.

With the lack of legislative support for Police to charge a person or persons who “misuse authorised access” to steal data business owners are left with few alternatives than to chase down these individuals in the civil courts. Prosecuting civil cases can cost hundreds of thousands of dollars and may take years to complete. In most cases the thief is rarely pursued providing additional incentive for employees to commit fraud and is likely a primary reason for the data theft epidemic in Australia today.

Commercial lawyers advise business owners to make sure employment agreements are robust particularly on data ownership, security and restrictive covenants. However even the most binding contract requires business owners to prosecute the thief civilly so it can’t be relied upon to stop data theft by unethical employees occurring in the first instance.

Business owners still need deep pockets, persistence and a willingness to pursue the thief in the civil courts when insider theft of data occurs. In some cases the theft will devastate a business financially making it impossible to take on the added expense of litigation. An injunction and surety over costs runs to over $200,000.00. Expected total costs of civil proceedings will usually exceed $200 – $250,000.00.

Even if business owners have the money, time and persistence to head off to court they will be distracted from running their business and frustrated by the legal process. Whilst business owners are head down trying to rescue the business from the financial effects of the theft and with the added burden of running an exasperating costly legal challenge the thief is enjoying the benefits of his prize using some of the revenue he has stolen from the business to defend themselves.

To add to the frustration the thief may have no assets in his name so regardless of any judgement against them compensation for legal costs, the theft and damages is unlikely.

In the data theft example provided above the affected business was advised not to pursue the thief purely on commercial grounds. The individual concerned had no assets to speak of so prosecuting the case was going to be a pointless waste of money, time and resources.

However, not prosecuting in this case left the door open for the thief to publish misleading and deceptive information to patients supporting the deceit perpetrated on their ex-employer further affecting the business, its owners and employees.

If your primary asset is data you need to examine every possibility for theft to occur from within your business even with your most trusted employees in addition to building a paper wall around the asset. Make it a priority to have very specific agreements covering data with employees and take out cyber theft insurance. There are a number of insurance companies now providing cover for cyber-crime.

Related Articles