Friday 2 August 2013

Has your business been a victim of Data Theft?

Small business owners are potentially facing financial ruin as a result of the ill conceived Privacy Amendment (Enhancing Privacy Protection) Bill 2012, introduced late in 2012 by Nicola Roxon, that didn't consider many of the representations made by key stakeholders directly affected by its introduction.

Personally Identifying Information (customer records)

As at March 2014 business owners may be obligated to notify affected persons of any breach of their personal information and at the discretion of the Privacy Commissioner may be liable to heavy fines.

We agree if a business deliberately sets out to breach the Privacy of its customers or does not provide adequate security over customer information they should be fined and obligated to notify their customers of the breach. However the bill has failed to address insider (ex-employee) data theft.

Employees require access and misuse of that access to steal customer data is not covered by the bill. Independent Research has indicated 70% of IP or data theft is committed by insiders. In a speech at a Canberra Press gathering Ms Roxon admitted that the greatest threat to data security within Government is corrupted public servants.

The challenge for any business is that limiting user access to sensitive data is not a viable strategy to preventing data theft. Employees, sub contractors (example health workers) across most industries need access to view and change critical data to perform their everyday job functions.

An insider cannot be charged by Police or any other authority for data theft.

Identity theft is only a fraction of the problem and cost to the community when compared to insider data theft. Data theft by insiders is affecting thousands of businesses and costing business owners, their employees, their families billions of dollars each year and this doesn't include the knock on effect to suppliers.

Readers may remember attending their local medical centre and seeing the large number of paper folders containing patient information housed in lockable cabinets. Some practices still use this method to store patient records. Lucky them. You can't conceal very many paper folders and remove them without being noticed and you would need a truck to remove thousands.

With initiatives provided by Government and a need to move into the digital age medical practices all over Australia computerised patient files and installed practice management software to manage them. Computerised records provide the morally bankrupt healthcare worker a quick and easy way to rip off their employer and it is happening at epidemic levels all over Australia.

The Health industry is not the only business category subject to this insidious type of fraud. It is happening across many business categories and will continue whilst our Politicians and bureaucrats choose to deny it is even a problem.

It would not be uncommon in some industries for even a small business to have many thousands of customer records. In the case of a small to medium size medical practice this could easily be 30,000 patient records or more. An on line sales business may easily have hundreds of thousands of customer records. What does the business owner do if they suspect an employee has stolen customer records? Do they assume the whole data base has been breached and contact every customer?

Business owners can't rely on Police, The Privacy Commissioner, ASIC, Fair Trading or any other authority to investigate insider data theft. Their response to a report will be it is a commercial matter to be dealt with in the civil courts.

If an insider embezzled in cash an amount that equalled the value of, in many cases a business's most valuable asset [customer database] they would likely be spending a number of years in gaol. Removing customer information without the authority of the customer and the business owner is theft and often, just like stealing cash, has an immediate financial impact on the business and everybody who works in the business and their families.

The only recourse for affected business owners is very expensive usually protracted litigation in the District or Supreme Courts. Very few if any small business owners can sustain the financial impact of data theft, pay the huge costs of litigation let alone having to now face a heavy fine, the resource cost of notifying affected customers and managing the fallout from that notification.

Even if the business owner does pursue the data thief in the civil courts it takes many months sometimes years to get a judgement.

The Amendment Bill is a double whammy for business owners while the insider data thief remains immune from prosecution more often using the spoils to help secure a position with a competitor or start their own business.

Even the most secure of systems are susceptible to data theft due to employee access.

Rather than join a competitor or start a business a disgruntled employee could just as easily walk out of a business with thousands of customer records and pass them to an identity thief. The first time an affected customer would know about it is when they got a knock on the door from a sheriff chasing down a debt they don't even know about.

It is the misuse of this access by insiders that is the issue and rarely ever the business owners negligence to provide suitable security over what is often their most valuable asset.

Now there are a range of security solutions which provide additional security over data bases and will have access logs, notification bells and whistles and alerts up the wazoo. However, if a disgruntled employee is set on stealing customer data they will get the data. No amount of security can prevent a determined insider data thief.

Another Labour policy, not properly researched and introduced with the promise to fix what?

Do you have a business or know a business which has experienced data theft by an ex-employee? Submit your story.