Friday 20 June 2014

Govt Refuses to Support Privacy Alerts Bill

By Allie Coyne, itnews

The Coalition Government has refused to back a reinvigorated bill that would force companies to notify customers of a data breach, saying while it agrees with the concept in principle, the proposed legislation needs more work.

In March this year Labor Senator Lisa Singh re-introduced the lapsed Privacy Alerts Bill, which failed to be heard in the Senate before the upper house closed ahead of the 2013 federal election.

The text of the current Privacy Alerts Bill 2014 is identical to the Privacy Alerts Bill 2013. It seeks to compel entities that suffer a serious data breach - involving personal, credit, or tax file number data - to notify the Privacy Commissioner and individuals affected as soon as possible.

The previous bill received unconditional support from a parliamentary committee investigating the issue, but Coalition senators at the time expressed concerns about a lack of definition around terms like “serious breach” and “serious harm” in the bill, along with the speed in which the legislation was drafted.

Coalition senators today repeated the same concerns in a second reading of the bill in the Senate, arguing that by re-introducing a bill with identical text as the previous "rushed" bill, Labor had failed to address the issues highlighted in the last round of debate.

Data Theft: "The Bill has not been well thought out and has not taken into consideration many of the submissions made by key stakeholders."

Read more . . . .

Data Theft Submission - August 2013

Saturday 14 June 2014

Your Biggest Cybersecurity Threat Isn't Coming From the Outside

by Elizabeth Palermo, Business News Daily Contributor

The biggest threat to your company's cyber security isn't malware, phishing scams or even hackers — it's you. In a series of studies published last week, three security research firms asked employees at midsize businesses across America about the biggest threats to corporate cyber security. And while the surveys each pointed to slightly different culprits, the verdict was clear: employees are the weakest link in the security chain.

The largest of the three studies — a Stroz Friedberg online survey of more than 700 information workers — found that senior management may be the biggest threat to an organization's digital well-being. Fifty-eight percent of senior managers reported having (digitally) sent sensitive information to the wrong person. Compare that with just 25 percent of lower-level employees guilty of the same misstep. And more than half of all senior managers in the study admitted to taking files with them after they left a job. Only 25 percent of rank-and-file employees were found to have done the same.

The Stroz Friedberg study also found that 9 in 10 senior managers admitted to uploading work files to personal email and cloud-based accounts, a faux pas that could lead to intellectual property theft and attacks on corporate networks.

Sunday 1 June 2014

Insider Data Theft - Is your business safe?

Insider data theft incidents are to be taken seriously. In this digital information age, it has become increasingly important to protect your company's intellectual property. In many business cases IP will be the the most valuable asset on the company's balance sheet. 

Job function often requires authorised access to IP assets and it is the misuse of this access that provides the keys to the safe.

One of the most common data thefts is the copying or removal of customer lists by an employee for use at their next job which often is a competitor or to help start a new business as a competitor. It happens so often in Australia that it is almost an accepted norm. In many instances part or all of the employers customer list will be on a company provided mobile device or a BYOD.

Ex-employees often believe they have entitlement to customer lists or other IP if they have contributed to it whilst working for their employer. However, despite this misguided belief, they rarely ask their employer can they remove or copy this information before leaving with it.

Data can be disseminated in seconds and once IP has left the building the encore can be financial devastation for company owners, employees and their families regardless of any legal remedies available to the employer.

Often, following a data theft, ex-employer customers are contacted within hours of an insider leaving their previous employer. The contact is usually by SMS, email or both sent to inform the customer of a change of address for their service or product provider.

It is rare the customer would think any more of the email or SMS than it is a courtesy to update their address book. In a recent case the data thief used her ex-employers company name as part of the reply address in an email to the stolen customer list and built a web page including the ex-employers company name throughout the text. According to personnel at ASIC and Fair Trading this is not regarded as a serious enough matter to investigate for passing off or deceptive conduct.

Unlike embezzlement there is no preventive threat of a fraud charge for the insider data thief. The only recourse is the civil courts, a lengthy often prohibitively expensive road to justice.

In Australia theft of IP by insiders is not a crime. There is no legislation that provides State or Federal Police with powers to charge ex-employee data thieves and complaints to Governing Regulatory Authorities or Associations will be lucky to receive a response let alone a reprimand or some form of sanction for the data thief.

In fact, under recently introduced amendments to the Privacy Act, you and or your business may be heavily fined, by the Privacy Commissioner, for not providing adequate security, over customers personal information whilst the data thief remains immune from prosecution.

Industries most effected by data theft are health, real estate, online shopping, accounting and legal to name some. However all businesses with valuable IP can be at risk of insider data theft.

Pre-planning and developing policies, security measures and employee / contractor agreements are key to preventing or responding to an insider threat or intellectual property theft.

If you need assistance in data theft prevention contact us.