Friday 26 October 2012

Compulsory data-breach notification will do nothing to protect Australians

Attorney General Nicola Roxons' proposed compulsory data breach notification does not address the real issues facing Australian consumers and business. There is no evidence that compulsory notification will protect Australians and frankly any notification of a breach is usually too late anyway. If there is going to be compulsory notification there also needs to tough legislation to deal with the persons who steal the data.

An insider stealing data causes the company to breach privacy and potentially subjects the company to huge fines under the proposed Compulsory Notification Bill. What happens to the the thief? At the moment nothing if the thief is an employee of the company!

ADMA CEO Jodie Sangster's recent revelation: “A drop of 18 % for a total of 46 notifications in the year could equally suggest that companies have responded well to his office’s advice on preventing data breaches” is ignorant of the facts.

Many data-breaches are never reported by business owners.

Under the privacy commissioner's current guidelines persons affected by a data breach should be notified immediately. More often the person receiving the notice contacts the company to question their level of security and to find out what of their information has been compromised.

Recently a Sydney CBD medical practice, under the guidelines of the privacy commissioner, notified patients their data may have been compromised. The notification prompted thousands of abusive calls from patients questioning the centres security with many saying they would never return. In this case patient data was compromised by a long term employee who had conspired with three others to 'misuse authorised access' to steal the patient database.

Business owners who know of or have heard of similar experiences will avoid notifying their customers of data-breaches. The 18% drop in total notifications is not a reflection on ADMA's advice, it is the fear of the detrimental short and long term effects on a business a data-breach report may have.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, "One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants".

Insider theft of personally identifying information (PII) is at epidemic levels in Australia and will remain so until legislation is passed that will allow Police to charge employees who steal data. PII is very often a business's most valuable asset and for many is valued in the millions of dollars. If an employee embezzled the same value in cash they would be charged by Police and likely receive a custodial sentence.

If the Attorney General is at all serious about reducing the incidence of data breaches then she needs to propose adequate legislation to protect business and Australian consumers from insider fraud, the most common of all data breaches.

Submitting a band aid Bill that will have little if any effect on preventing data-breaches is ill conceived and falls well short of providing the protections required to meet increasing levels of insider data-breaches.

Tuesday 16 October 2012

The Dangers of Identity Theft


Identity theft is the act of stealing your personal information to commit fraud. It usually involves money, but the scariest part about the crime is the damage it inflicts on the victim’s credit record and good name, which takes years to build and/or repair.

To give you a better idea on the dangers of identity theft, here are a few of its effects:

Effects of Identity Theft

On your finances
If you’re victimised by an identity thief, one of the first things that are affected is your finances. The thief could do a lot of damaging things like file a loan in your name, duplicate your ATM cards and get all your money in the account or worse—make counterfeit cheques using your account. When that happens, you have a lot of explaining to do with your financial institution.

On your credit card
Identity thieves have been known to change the billing address of a victim’s credit card to keep their quarry from receiving monthly statements and finding out that the card is being used fraudulently. Thieves may also get a new credit card under the victim’s name. Naturally, the thief doesn’t pay the bill, affecting the victim’s credit report.

On your utilities
It’s the same thing here. Thieves can get a new mobile phone account or another utility service under your name then run up the charges.

On your government documents
Here’s when it turns into a spy flick gone bad: A thief gets your official ID cards (e.g. driver’s licence, social security) under your name but with their picture. With these important documents, a thief can steal your name and benefits, and get you into more trouble by filing a fake tax return.

How to Protect Yourself from Identity Theft

Here are a few suggestions on how to protect yourself from having your identity stolen:

Beware of what you're clicking
If you’re not familiar with the link, don’t click it. If you’re asked to enter any personal information, double-check the site first since there are duplicates out there that try to fool you into entering sensitive data like credit card or account numbers. If your friend’s e-mail looks suspicious because it only contains a link, don’t click the link—and tell your friend his account may have been hacked.

Change passwords regularly
Make sure you change your passwords every so often, perhaps every month or three. And see to it that the password for each account is different. If a thief steals your only password, even if it’s a strong password, your online data is in trouble. When you do change your passwords, make sure they’re stronger than "password".

Leave important documents at home
Unless you need your important documents for a specific purpose, leave them at home. In the wrong hands, these documents could be very damaging to you; perhaps even more destructive than financial thefts because your entire identity could get stolen. Money and credit can be earned back, but mistaken identity could land you in jail.

Tell your bank when you're on a trip
Remember: It’s important to inform your financial institution about a trip abroad because purchases beyond our location are considered unusual and are often declined by credit card companies.

Avoid mobile
Mobile bills payment may be convenient, but it would be safer to conduct these kinds of transactions in your own Wi-Fi network, just in case. It’s better to be safe than sorry.

Monday 15 October 2012

Employer successful in $500,000 claim for breach of contract against employee

Source Cooper Grace Ward

The New South Wales Supreme Court has awarded financial broking company, Tullett Prebon (Australia) Pty Ltd, more than $500,000 damages after a finding that its former employee had breached their employment contract.

The employee was engaged as a broker with the Company for a fixed term of at least two years. Some 15 months before the end of the contract, the employee resigned his position.

The Company refused to accept the employee’s resignation and instead invoked the ‘gardening leave’ provisions of the contract, and advised the employee he would not be required to attend work, but would continue to be paid his base remuneration.

Despite this, the employee immediately commenced work with a direct competitor of the Company.

The employment contract contained a restraint of trade provision, that prevented the employee from working for a competitor or soliciting clients or employees until the end of the fixed term, or for a period of three months’ after the termination of his employment.

The Company sought an injunction to prevent the employee engaging in this conduct for a period extending until the end of the fixed term contract - which was not due to expire for a further 11 months.

However, the Court considered this timeframe was unreasonable but granted an injunction for six months from the date the employee gave his resignation.

The Court noted that, while the employment relationship had ended, the employment contract remained on foot unless the Company accepted the employee’s resignation.

Two days before the injunction was due to expire the Company issued the employee a letter directing him to attend for work the following week. The letter advised him that, if he failed to do so, he would be in breach of his contract and would give the Company grounds to terminate the contract.

The employee did not respond to the letter and instead, re-commenced work with the Company’s competitor.

On this basis, the Company terminated the employment contract and instituted proceedings against the employee relying on a clause within the contract that permitted the Company to seek liquidated damages if the employee breached or repudiated the contract.

To be successful, the Company had to establish that, although the employment relationship had ended, it was still able to give the employee a direction to attend work and that the failure to attend was a repudiation that triggered the liquidated damages clause.

In addressing this issue, the Court found that, while the Company did not have the power to unilaterally reinstate the employment relationship, it was entitled to require the employee to make a final decision as to whether he wished to resume employment.

If he chose not to, this would be a fresh repudiation of the employment contract and would therefore entitle to the Company to bring the contract to an end.

The judge found that this was in fact what had occurred, and therefore found that the Company could invoke the right to claim liquidated damages under the contract.

The employee argued that the damages clause was penal in nature and therefore unenforceable as it was not a genuine pre-estimate of the Company’s damages taking into account the fact that the employee would most likely have been replaced by another broker.

The calculation set out in the clause was however, considered to be standard practice in the broking industry. Evidence was provided by the Company that, in the time the employee was absent from work, a loss of approximately $400,000 had been sustained.

Based on this comparison, the calculation provided for under the contract was held not to be “so extravagantly out of proportion to the loss as to attract the doctrine relating to penalty”.

The employee was ordered to pay $503,100 plus interest and costs. The employee has indicated that he will consider appealing the decision.

Friday 12 October 2012

Accountant ordered to pay damages for using confidential information to poach clients

Source: Belinda Winter Partner, Cooper Grace Ward Lawyers

The New South Wales Supreme Court has ordered an accountant to pay $117,995 in damages after he used his former employer’s confidential information to poach at least 776 clients.

In 2002, Mr Denis Cummins, an accountant, sold his practice to Commercial & Accounting Services (Camden) Pty Ltd (Company). Following the sale, Mr Cummins continued to work for the Company 17 hours per week. The agreement for sale contained a clause that restrained Mr Cummins from competing against the Company for a period of at least 3 years within the radius of 10 kilometres from the business address of the Company’s accounting practice.

In early 2009, Mr Cummins told the Company that he would end his employment on 30 June 2010 and that he intended starting an accountancy practice in competition with the Company.

By agreement, the parties ended Mr Cummins’ employment early on 30 June 2009. Mr Cummins communicated to the Company that he intended on taking ‘a half dozen or so clingy clients’ and this was agreed to by the Company.

On 1 July 2009 Mr Cummins wrote to an unknown number of the Company’s clients informing them that he had moved from the Company and was now practicing in his own firm. The letter contained an authority for clients to use to transfer their files from the Company to his new practice. It was claimed by Mr Cummins that the contact details for these clients were taken from memory and his own lists, and that Mr Cummins did not use any of the Company’s client lists. This was not accepted by the Court. To the contrary, the Court determined that Mr Cummins did use the Company’s client lists and that he knew that such client lists were confidential to the Company.

To determine the appropriate damages for Mr Cummins use of the Company’s confidential information, a robust approach was applied by the Court. It was determined that 75% of the loss of goodwill of the Company should be attributed to Mr Cummins actions. This was calculated to be equal to $117,995, and damages of that amount were ordered.

Lessons for employers This case highlights the importance for employers to protect their confidential information. Adequate contractual protections should be in place, via a business sale agreement and contract of employment. Further, proactive controls should be implemented to prevent the unauthorised use of confidential information.

If you do not have written employment agreements or your agreements do not contain effective restraints we can provide agreements that maximise your prospects of preventing employees taking your clients. You can contact Belinda Winter on 61 7 3231 2498 to discuss how we can help protect your business goodwill.

Commercial & Accounting Services (Camden) Pty Ltd v Cummins [2011] NSWSC 843 (3 August 2011)

Wednesday 10 October 2012

What does data theft look like?

When a business owner experiences theft of a valuable data asset it is often difficult for others to appreciate the actual effect on the business. We all think of data as bits of information in a computer so understanding what the effect of theft looks like can be difficult to picture.

We have taken an actual example of revenue, for a local Sydney Business and graphed the outcomes over 10 years including the effect of the theft of a critical data asset. The graph in the pdf below indicates when the business started in July 2003, the year on year growth and the actual and projected revenue through to June 2013.

When data theft occurs usually the effect on revenue is instant therefore business expenses have to be reduced immediately in an attempt to salvage the business. That usually means staff have to be let go and various other expenses reduced to match the remaining inflows. However expense items like rent, equipment leasing, power, phones etc. remain unchanged as do other critical cost areas depending on the business. This will invariably mean the forecast profits are downgraded to losses.

One of the expense areas most effected is marketing which has a knock on effect to all other areas of the business. Advertising is usually incrementally tied to revenue and profits, the more of both the more can be spent on marketing the business. The immediate impact on revenue, data theft has, means less dollars to market the business. In most service type businesses getting back to where the business was before the theft will take years let alone getting to where the business would have been, if the theft did not occur at all.

Example: Turnover at $700,000.00 achieved after 10 years with average year on year growth at 35%. Data theft reduced turnover for the following full year (after theft) to $152,000.00. If similar historic growth could be maintained it will take 6 years to get back to where the business was before the theft and 12 years to get to where it would have been had the business been able to continue on its original business plan.

In this example accounting for profits, damages and lost value at exit would require forensic accounting however it is well into 6 figures.

Employees stealing critical data from their employer effects everybody in the business. In addition to internal cost cutting, invariably arrangements have to made with creditors to keep the business going long enough for cost adjustments to take effect.

Data theft by employees is such an insidious crime it is actually negligent that State and Federal Governments have not introduced legislation that will allow Police to charge callous individuals who would be behind bars if they embezzled the equivalent value in cash.

Open the pdf here.

Monday 8 October 2012

Book - Stress is a choice

We received an email this morning from Mac Anderson over at Simple Truths about a special offer on a great book by David Zerfross. We felt it was worth publishing here.

Stress is a Choice
An Empty Pickle Jar

A professor stood before his philosophy class and had some items in front of him. When the class began, wordlessly he picked up a very large and empty pickle jar and proceeded to fill it with golf balls.

He then asked the students if the jar was full. They agreed that it was. So the professor then picked up a box of pebbles and poured them into the jar. He shook the jar lightly. The pebbles rolled into the open areas between the golf balls. He then asked the students again if the jar was full. They agreed it was.

The professor next picked up a box of sand and poured it into the jar. Of course, the sand filled up everything else. He asked once more if the jar was full. The students responded with a unanimous "yes."

The professor then produced two glasses of chocolate milk from under the table and poured the entire contents into the jar effectively filling the empty space between the sand.

The students laughed.

The Moral of the Story - The professor waited for the laughter to subside....

"Now," said the professor, "I want you to recognize that this jar represents your life. The golf balls are the important things...your family, your children, your health, your friends, your favourite passions. Things that if everything else was lost and only they remained, your life would still be full."

"The pebbles are the other things that matter like your job, your home, your car."

"The sand is everything else...The small stuff. If you put the sand into the jar first, there is no room for the pebbles or the golf balls. The same goes for life. If you spend all your time and energy on the small stuff, you will never have room for the things that are critical to your happiness."

"Play with your children. Take time to get medical check ups. Take your partner to dinner. Play another 18. There will always be time to clean the house or fix the disposal."

"Take care of the golf balls first, the things that really matter. Set your priorities, the rest is just sand."

This story is a wonderful reminder to focus on what is most important in our lives. And focusing on our priorities is one of the 10 Rules to Simplify Your Life in one of my favorite books...Stress is a Choice.

Many of us hurry through life going from one place to the next, focused on conquering the next mountain, making the next deal, running the next errand, and believing we will never have enough time to do all the things we need to get done, yet, there is all the time in the world if we just realize that we are the creators of this life we choose to live. That's right. Life is a series of choices and being free from stress is one of those choices.

This is a great book by author, Dave Zerfoss that has the potential to change your life! It's also a great gift for almost any occasion.

For more information or to look inside this great book, just click here.

Saturday 6 October 2012

Your Company's most valuable asset - 'data'

For many businesses data, usually secured on a computer, is their most valuable asset. A sudden change or loss of this data can be financially devastating which is why backing up data is so important. Backups however do not account for data theft by an employee.

Some research on data theft will point toward section 308H of the Crimes Act 1900 (NSW), Summary Offences Act 1966 section 9A (Vic) and similar legislation in other states, The Criminal Code Act 1995 and The Commonwealth Copyright Act. However Police will not charge persons who are employed or who have been provided access to a business by an employer. There is no legislation that will allow Police to charge persons who misuse authorised access to steal data.

In the health industry, where the ethics of healthcare professionals should be sacrosanct, the governing body, the Australian Health Practitioner Regulation Agency (APHRA) and its various National Boards (Medical, Chiropractic, Osteopathy, Physiotherapy, etc), treat the act of stealing a patient database and removing it from a medical facility, without authorisation or the written permission of patients, as an “industrial dispute”.

In other words this type of theft does not breach the ethical requirements of membership of Australia’s governing healthcare boards, leaving the civil courts as the only available option for medical practice owners to seek justice.

Patient health records are one of the most prized of all types of data to identity thieves. An organised identity thief will pay a few dollars, per patient record, just to get hold of the data and there are numerous clandestine websites, where a disgruntled employee, blessed with immunity from prosecution, can upload a data base in seconds. Even a small medical practice can have upwards of 20,000 individual patient records.

Most occurrences of unauthorised removal of patient data from a practice don’t end up with an identity thief and hopefully this continues to be rare. However if an ethically challenged healthcare professional is prepared to lower their moral standing to such a level as to steal from their employer, when the passing of patient identifying information to an identity thief does occur who would know?

Greed is good, said Gordon Gekko and it is greed that drives the ethically challenged to breach their agreements and steal data from their employer.

More often it is done to help them negotiate a more lucrative position with a competitor or to assist them start their own business. Most medical practice owners will actually reject employment applications if they know they are coming with stolen patient data. Apart from the moral and ethical issues, there will always be a concern having done it once the thief will likely do it again.

Usually these morally bankrupt individuals will start their own practice using the data and relationships they have built with patients, while at their previous employers, to lower the risk of starting a new business and to keep their lucrative salary intact.

Organising premises in close proximity to their previous employer, contacting the patients by SMS and e-mail, to let them know their practitioner has moved and inviting them to make their next appointment with them, is all that is required to start the new practice. The usual business risks and investment associated with starting a new practice and the many years required to developing it to a lucrative business have now been reduced to virtually zero.

Under the guidelines of The Office of the Australian Information Commissioner (OIAC), incidences of data theft require business owners to immediately notify effected consumers their data may have been compromised.

In the case of healthcare, patients believe or want to believe their practitioners explanation for moving on from their previous employer and will be happy to continue the relationship with the thief. Involving Patients in a dispute between a practice owner and their healthcare professional by notifying them of a breach serves no purpose other than to potentially further alienate the patient.

Abiding by the guidelines of the OIAC and notifying patients raises the question of security and more often leads to complaints and abusive calls to the practice enquiring how their information was compromised in the supposedly secured environment indicated in most medical practice privacy policies.

And it raises the question of the patient’s rights to see whomever healthcare professional they choose, which is not the intended purpose of a breach notification. The notification is viewed as resentment by an ex-employer.

One misleading and deceptive post on a blog by a healthcare professional justifying theirs and others theft of patient data from their employers, following a breach notification, was published as follows:

“The patient’s relationship is with the practitioner, and therefore the owner (or custodian) of those records (“goodwill”) is that practitioner. A clinic is a shell, building, cash collection service, but your relationship will always be with your health care worker, not the receptionist or the practice owner.”

The author of this post used an unsuspecting receptionist’s login to dump the patient database onto a USB drive and remove it from his employers’ healthcare centre.

This same practitioner was originally hired, to see the patients of a medical practice that had already been operating for many years before he started. It wasn't he who hired the practice to provide its management and office related services as indicated in his post. After many years and thousands of dollars invested in marketing and resources by the owners to build the practice he stole the patient database to start his own practice.

This is a typical example of fraud and theft by an unprincipled person and the moral compass by which they navigate their business life. They justify their morally bankrupt behaviour by illuminating the patient’s relationships with the practitioner.

In this and many similar cases it is never a question of the patient’s rights to see whomever they choose it is the deceitful methods used to steal a well established and thriving practice. Most agreements between the healthcare professionals and their employers contain restrictive and enforceable covenants including geographic and enticement provisions for an agreed period, usually 12 months.

Geographic provisions in healthcare agreements include not practicing with a competitor or start a practice within an agreed radius of the employer and enticement provisions include not enticing patients or staff away from the employer. In the example of data theft, by the author of the misleading post above, the value of the practice stolen by him was over $500,000.00.

With the lack of legislative support for Police to charge a person or persons who “misuse authorised access” to steal data business owners are left with few alternatives than to chase down these individuals in the civil courts. Prosecuting civil cases can cost hundreds of thousands of dollars and may take years to complete. In most cases the thief is rarely pursued providing additional incentive for employees to commit fraud and is likely a primary reason for the data theft epidemic in Australia today.

Commercial lawyers advise business owners to make sure employment agreements are robust particularly on data ownership, security and restrictive covenants. However even the most binding contract requires business owners to prosecute the thief civilly so it can’t be relied upon to stop data theft by unethical employees occurring in the first instance.

Business owners still need deep pockets, persistence and a willingness to pursue the thief in the civil courts when insider theft of data occurs. In some cases the theft will devastate a business financially making it impossible to take on the added expense of litigation. An injunction and surety over costs runs to over $200,000.00. Expected total costs of civil proceedings will usually exceed $200 – $250,000.00.

Even if business owners have the money, time and persistence to head off to court they will be distracted from running their business and frustrated by the legal process. Whilst business owners are head down trying to rescue the business from the financial effects of the theft and with the added burden of running an exasperating costly legal challenge the thief is enjoying the benefits of his prize using some of the revenue he has stolen from the business to defend themselves.

To add to the frustration the thief may have no assets in his name so regardless of any judgement against them compensation for legal costs, the theft and damages is unlikely.

In the data theft example provided above the affected business was advised not to pursue the thief purely on commercial grounds. The individual concerned had no assets to speak of so prosecuting the case was going to be a pointless waste of money, time and resources.

However, not prosecuting in this case left the door open for the thief to publish misleading and deceptive information to patients supporting the deceit perpetrated on their ex-employer further affecting the business, its owners and employees.

If your primary asset is data you need to examine every possibility for theft to occur from within your business even with your most trusted employees in addition to building a paper wall around the asset. Make it a priority to have very specific agreements covering data with employees and take out cyber theft insurance. There are a number of insurance companies now providing cover for cyber-crime.

Related Articles