DATA THEFT - Who can help? Very few.

Your data has been stolen. In a way you’re one of the lucky ones, you've found out that your data was stolen and you might even have proof! So what do you do next, who do you call to stop it being used and bring the perpetrator to justice.

Let’s run through some likely options:

• You call your lawyer if you have one. If not you need to find one who understands data theft and can advise you. Good luck.
  
  If you do find one they will ask to see the employees contract, partnership agreement or whatever agreement the thief had been engaged under.
  
  They’ll provide their advice as to whether your contract was clear enough in relation to Data, access, and use (and it’s probably not that good). In my experience, very few contracts adequately cover data theft.
  
  They might even suggest writing a legal letter to the person requiring the return of the information, threatening further action and the like.
  
  To get to this point has probably taken 1-2 weeks and cost you between $5,000-$12,000.


• You call the police. Alas, they’re not interested because it’s a commercial matter. They advise you to call ASIC, the Australian Security and Investment Commission or the Office of Fair Trading.


• You call ASIC. They are polite but let you know theft of this nature is not within their remit and advise you to call the Police.


• You call the Privacy Commissioner. They also inform you that they are not responsible for enforcing the law. Depending on the annual turnover of your business you may also have woken another monster. If your TO is over $3mil then guess what, you may also be liable to a fine from the Privacy Commissioner. Oh, by the way. The legislation covering you getting fined does not cover the thief, he's entitled to a get out of jail free card. You see in the OAIC's interpretation of security over personal information, it is the business owners responsibility, not the thieves.


• You call the Office of Fair Trading. They can’t help, although they are sympathetic and tell you that they’re getting more and more calls about this every day. They suggest you guessed it, the Police.


• You go back to your lawyer, or the specialist your lawyer has put you on to discuss progress in relation to the letter that has been sent. Nothing. The lawyer tells you it’s unlikely you’ll be able to successfully sue the person and that if you wanted to it would take at least a year and might cost anywhere between $80,000 to $500,000.

In the end, you have to make the call. Your customers/clients/patients are not returning/making appointments, your staff is feeling the pressure, your suppliers are not being paid as regularly as they use to be, your staff/contractors are also not getting paid on time, you are falling behind on your rent.

You elect not to pursue the thief as you need to focus on your business. Depending on the extent and damage caused by data theft this may not be so easy. Many businesses just close down.

If you do decide to proceed against the thief in the district or supreme court and your contracts aren't absolutely explicit on who owns the data then prepare yourself for disappointment. A recent case that ran for four years in the Supreme Court returned a decision in favour of the thief. There will be more on this case in a coming article.

Who can help you? Well, you can by recognising the importance of employment contracts that include the necessary clauses in relation to the ownership, use, access levels of the Company’s information and the agreed value of this information. Yes, that's right you have to quantify the value of the information or agree a formula in the agreement on how to determine the value. Your privacy policy with customers and relevant indemnities for any breach of the agreement and or your privacy policy also have to be included in the agreement.

Your employee/contractor will need to sign a clause that he has sought legal advice prior signing the agreement, he will need to initial each paragraph in the agreement that refers to ownership of data and or IP, the indemnity clause to cover any loss or damages caused by any breach of your agreement, another clause that they have read, understand and agree your privacy policy and very importantly they agree in advance to any changes during the term that may be required for the privacy policy to meet state and federal requirements. They will need to sign your agreement and your privacy policy in front of an independent witness(s).

You can also take computer security more seriously and invest in a data security review and implement the recommendations.

Will all of this stop a determined data thief? The answer is no it won't. However it will assist you in any legal action, particularly injunctive relief to stop them using your data.

If your bottom line is immediately effected by data theft (example a medical or health related practice) then your only hope is an injunction to stop use. For this you will need a minimum of $50,000 up front and an ability to offer surety over the thief's costs. If your contracts don't stack up on the rights over data and most don't, you'll lose.

Example: If an insider collects the business cards of your customers whilst working in your premises for a couple of years, sends change of address emails/SMS's alerting those persons he is now working for a competitor and then resigns from you two days later, according to the Supreme Court that's all on the up and up. In this particular case, after rushing the hearing the judge took 14 months to hand down his decision in favour of the insider. It must be our convict heritage . . . or am I missing something.

If you need assistance with your agreements we can help point you in the right direction.

Data Theft - Once you know, it’s too late!

We have progressed to a near fully digital work environment. Any employee with some computer knowhow has the potential to find themselves in a folder they should not be in and taking information out of it.

The reality is, even if you have a sophisticated security, monitoring and tracking system in place across all the computers and mobile devices in your business, you are unlikely to be able to prevent an employee, partner, consultant, or contractor stealing your data.

Big companies spend hundreds of millions of dollars to protect their data and they can’t even stop it. Job function more often than not requires you to provide access and even limited access won't stop a determined thief. So there’s little chance that SMEs will have the resources or access to knowledge about what they can realistically do.

So, the real issue in relation to data theft is to do the best you can to make it harder for someone to steal your data because you are unlikely to find out until it’s too late. And less than a minute after an event is too late. Data can be copied by an employee and gone from your business in literally seconds.

Some examples of data theft
A top sales person could take all your business leads and customer contact details to use when they commence work for another company. You might not find out about this until some of your existing customers don't renew their spend with you or when a good customer calls to let you know an ex-employee is trying to win their business.

An agent in your real estate business make take client and or rent roll information and the like and either set up on their own or, more likely move to a competitor.

A doctor or other health professional in your medical practice, who requires access to patient files as a part of their job function in fact by law has to have access, could copy all the information in the patient files, leave your practice and take your patients with them. When would you know? When he doesn't turn up for work the next day to see a waiting room full of patients? Or will it be a patient contacting your office about a change of address text or email they received 5 minutes after the doctor left your center after days work.

The value of Patients contact information is often underestimated. To an identity thief it is the most valuable of all personal data. Contractors and employees have walked away with their employers patient data just before their months pay was to hit their bank account. Why wouldn't they wait until they got paid before stealing the data? Because an opportunity to steal and leave with a valuable customer list presented itself and was worth risking not getting their pay.

A common response from all the above is that it’s illegal, the information is the company’s/firm/practice. Firstly its not illegal in Australia for an employee to steal data and do you really think the person stealing the information cares? In fact they probably feel entitled to some if not all of it.

In for a penny in for a pound
In a recent case a Chiropractor not only stole the contact information of patients he had treated he stole all of his work mates patient contact information as well, 10's of thousands of patients were effected. This ethically challenged individual provided a hacker with his login to get past the levels of security that had prevented him being able to even see let alone copy patients contact details. Now this would have to be illegal! You think! In Australia even this act of fraud is not illegal. How long had he worked for his employer? Over 12 years.

Ah, people say, we have non-compete clauses and other restrictive covenants and we can sue the person for theft, our clients/patients/customers would not leave. Guess what? Have you ever tried pursuing someone through the courts in relation to a breach of confidence, non-compete clause or theft? I have. It costs 10's of thousands just to launch an action and you won't get any change out of another hundred thousand dollars (very likely more) to run a case that may take between 1 and 4 years to get through the court process and then the outcome is not at all certain.

And guess what? The thief can ask the courts for you to provide surety over their costs and damages. In many cases and particularly in the health industry the theft of customer data has already affected your cash flow, you are not covering your business expenses and now you are having to fund a protracted court action. You can stop the thief using your data immediately with an injunction the lawyers will say. You can of if you've got a lazy $80k lying around. Add at least another $50k for surety over the thief's costs. This is big end of town stuff, small business cannot possibly afford these types of actions.

Meanwhile, under a new privacy amendment introduced in 2014 you as the business owner could also be liable for a hefty fine from the Privacy Commissioner and soon it may also be compulsory to notify every one effected by the theft, a huge resource taxing task on its own. The employee who stole the data in the first instance is not covered by the amendment or any other part of the Privacy Act. Yep, that's right they get away scot-free. You can blame ex Labor minister Ms Nicola Roxon and her bureaucrats for that added kick in the guts.

In an earlier post I described what happens when you notify your customers their personal data has been compromised. Your phones will run off the hook with customers ringing to see what information the thief got and most of the callers will be abusive because to them it was the company that didn't protect their information. Its a fickle world out there in consumer land. Many customers will follow the theif and many others will leave because you have bad security. If you couldn’t keep their records safe the first time round why should they trust you.

On top of all this if your business has been the victim of data theft you are also now facing another reality, particularly if you öwn a medical practice, "copy cat theft". I will cover this in a future post.

There are some things you can do to minimise the risks through employee contracts and your privacy "agreement" with customers. There are also things you can do using off the shelf security products and monitoring staff behaviour. I'll also be covering some these in future posts.

Experienced data theft in your business? Send us Your Story.

Who is a Data Thief?

So who’s the thief? Well the bad news is that it could be anyone and they certainly won’t be wearing dark glasses, a hoodie and sloping around your office – although some of your current employees may dress like this.

A data thief is anyone. Your business partner, senior executive team member, employee, tech-support person, contract sales person, a locum, the employed or contracted health care professional, the admin manager, cleaner, yes even the cleaner ‘could have dunnit.’ Anyone with authorised and unauthorised access to your computer system could steal information from it.

Unauthorised access? In a data theft case in 2010 a Sydney massage therapist used the receptionists login to download the medical centres patient list to a disc after she had asked him to watch the front desk while she went to the the bathroom. He had worked at the centre for over 6 years and was highly regarded by his peers. He used the stolen patient information to start a massage therapy practice less than 75 metres from his employer. He was reported to Police and the ATMS. Nothing came of those reports because he had authorised access to "the premises".

Data Thieves only need the desire, some knowledge of the systems, most times the password/s (many people still use the word ‘password’ as their password), the opportunity and the time to plan their move. In a very recent case a graduate Osteopath, contracted as a locum, collected business cards or mobile phone numbers from the medical centres patients. After compiling a large list he used it to secure a position with a competitor and then contacted the patients in a series of change of address txts. Two days after sending out the txts he resigned from his former employer. According to a Judge in the Supreme Court this behaviour is acceptable and found in the Osteopaths favour.

The reality is, there is such a thing as a typical data thief and some common traits that can provide some, and I mean some, insight to who might be a data thief.

Research shows that a data thief will usually feel entitled to the information and are disgruntled for some reason. They might feel entitled because they helped to create it, therefore they have some ownership of it or entitlement because other people in the company are doing it, or because they know the company won’t be able to find out it was them or even if they did won't have the financial means to go after them.

They also might have ambitions of their own. They might want to start their own business, in which case planning the data theft probably started weeks or even months before they walked out the door. De-risking a start-up is one of the most common reasons for data theft particularly by healthcare professionals. It takes many years, a huge investment in cash and resources to build a medical practice to the critical mass required to be profitable.

Stealing the patient list and sending a change of address series of emails and txt's is a very quick way of ensuring the data thief will have patients when they open the doors of their new practice. Most patients will just think the emails and txt's are a courtesy to inform them the practitioner they have been seeing has moved to a new location and will not be aware of the restrictive covenants covered by most healthcare professional employment and sub-contractor agreements.

The ‘typical data thief’, will most likely be a current employee, male, in their mid 30s and requires access to meet their job-function. Interestingly, in 75% of reported cases, the data thief had authorised access to the data – so you can forget trying to report them to Police or any other authority.

This last point is where the cleaner comes in. If the cleaner has authorised access to the floor/office your computers are in and steals data only from those computers you’ll be hard pressed getting Police or any other authority involved because he had authorised access to the premises. Perhaps this is where the true meaning of the phrase, ‘being taken to the cleaners’ comes from.

Data Theft - Some Facts

One of the really interesting things about data theft is that it largely goes unreported. What company in their right mind would want to publicise that their customer data has been stolen? How would you feel if your GP called (as they will have to soon do under Australian law) to let you know that all your medical and contact information had been stolen? Not very good.

In fact when we notified effected patients their information had been compromised by ex-employees our reception staff received hundreds of abusive phone calls (and txt's) in the weeks following the theft. Under the guidelines of the OAIC we notified patients within 2 hours of the theft. All the notification did was drive patients away from the medical centre.

These employee data thieves provided their login to a hacker to access and steal sensitive patient information, however, as far as patients were concerned, we had let them down. Reporting the data theft and those responsible to Police, OAIC, APHRA and the HCCC was an absolute waste of time. They did nothing except respond that it was a "commercial matter" and would need to be sorted out in the civil courts. A recent civil case took over three years to get to a hearing in the Supreme Court and over 14 months to get judgement. Civil courts is not a solution nor is it a deterrent that will stop insiders stealing your customer lists or IP.

Getting stats about data theft is quite hard, and there’s hardly any for Australia. But there is some information and it’s pretty shocking.

It is estimated that data theft costs $250 billion in the USA.

• 14% of breaches were perpetrated by insiders with 7% involving multiple parties
• 20% of data theft hit information and professional services firms
• 50% of companies surveyed by the Carnegie Mellon Software Engineering Institute experienced at least one data breech by an insider in the previous year.
• 59% of employees who quit or leave admitted to taking confidential or sensitive information
• 62% of employees think it’s acceptable to transfer corporate data to their PCs, tablets, smartphone or cloud sharing application without seeking approval.
• 90% of IT employees indicated that they would take sensitive data if they were fired.

Now I don’t mean to disparage IT employees specifically or employees generally but the facts are clear. Data theft is rife and it’s happening across all businesses at much higher rates than anyone is really aware because it’s so hard to find the information. Verizon releases a data breach investigations report annually, as do a range of other institutions and organisations.

So, don’t kid yourself that it’s not happening much, or not happening much in your business sector, or to your type of business. The simple fact is, that it is and you need to understand it in order to minimise your risk.

There are some pointers on my website to some of the basic things you can do to minimise your risk so have a look.

If its happened to you, send us your story.

APHRA | HCCC | OAIC

Who is at risk of data theft?

Everyone who owns a business that involves the collection and management of data – well that’s just about everyone in business these days – is at risk of data theft. For example: a real estate agent has a list of potential buyers, clients with houses to sell, properties they manage (Rent Roll) etc. Imagine if one of the agents took any of these lists, let alone all three.

Another example: a medical practice that has patient files, not just the patient’s contact details but their medical records. Any insider with access to these files could remove or copy them and take them out of the business and use them to set up a new practice or use the files to negotiate a position with a competitor. Can’t happen you say, the law would stop them. No it won’t, and it does happen, it happened to me.

One more example: An online training business/consultancy. One of the trainers, who might even be a contractor, gets authorised access to the businesses database of clients AND their learning tools, copies them and sets up their own business. Can’t happen you say. It happens all the time, and it's next to impossible to stop them.

ALSO, under the Office of the Australian Information Commissioner's (OAIC) guidelines you are suppose to notify patients (or customers) their information may have been breached. What effect does this notification have on your business? You will get calls, many of them abusive, wondering what information was taken and how the thieves were able to breach your security. The breach notification actually causes additional harm to the businesses reputation and will very likely drive patients or customers away. The OAIC will do nothing to the thief however your business may also suffer the additional financial hit of a massive fine from the Privacy Commissioner.

I know you are thinking that's just not fair, that can't be right. In Australia my dear reader that is absolutely right, insider data thieves are absolutely immune from prosecution by any authority.

ANY business that relies on a database is at risk. If you are a small-to-medium sized business you’re actually more at risk as you simply won’t have the money, time or resources to pursue the person who stole the data, and every moment you spend on chasing them, that person is stealing your customers and your business.

And, this is even more important if you run your own small consultancy business. It may be just you and therefore you might feel safe. But who has access to your computer, who maintains your website, runs your EDM campaigns, does your marketing? Most of these tasks require access to your database – or can open an electronic door to your database. So you’re at risk to.

The best thing you can do, and really the only thing you can do, is be aware. And in the case of data theft be alert and alarmed as well.

There are things you can do to minimise the risk … recognising there is a risk is the first important step.

Data theft - what is it?

Data theft is when someone takes information (data) from you/your business without authority to do so. There is almost always the intention to use it for personal financial gain – to start up a new business or work in a business that is in competition to yours, on-sell the information to a competitor or encourage your clients/customers to purchase services or products elsewhere.

It’s important to understand that we’re talking about people who are in your business who may well have access to certain levels of data within your company right now. In fact, most employees need a certain level of access to data these days to undertake their jobs - job function. Once people have access to data, or the computers and hard drives that data is stored on, its not hard for them to copy it and steal it.

So, data theft occurs when a person in your business steals information from you. It’s like any other theft, it’s the theft of your data ‘your property’.

There’s a big difference with data theft and other types of property though. You’d know pretty quickly if your car, wallet, laptop, phone, credit cards were stolen and you’d be able to call on various people, the police, other authorities to prevent their use of it. With data theft, you probably won’t know that the data has been stolen until well after its walked out the door or been sent to another device.

And here’s the real challenge and problem.

After the employee has stolen your data assets its next to impossible to prevent them from using it, physically or through the courts. Data can be disseminated in literally seconds. Its gone baby and there is nothing you can do to stop it's use unless:
1. you can prove the culprit took it;
2. you have enough money to injunct the person to prevent them from using it;
and in Australia you'll need a big chunck of change and resources just to raise an injunction let alone provide surety over costs to the courts and the thief. That's right, the thief can ask the courts that you provide a guarantee over their costs to defend against your allegations and then use the financial gains they have made from the theft to defend themselves.

A very recent case took three years in the Supreme Court to get to hearing and another 14 months to get a decision from the Judge. The business from where the data was stolen lost their case and the thief and the competitor he took the data to have both prospered financially.

Data theft would have to be the biggest source of fraud in the world that is rarely successfully prosecuted … and the data thieves, particularly in Australia, know this.

So, if data is important to your business, you need to really start thinking about how you protect it (and I’m not talking about spam or standard security software here), how you store it, what levels of access you allow to it and how you monitor its access and use. And very importantly you have to be very aware of changes in employee attitudes toward you, staff and or the business.

Data Theft by Self-entitled or Disgruntled Employees

Why did I start this blog how will it help you?

A few of years ago I was the victim of systematic data theft by self-entitled employees not once but on five separate occasions and all within a relatively short period of time. On various occasions even my identity was stolen by these insiders.

The loss and damages to the business we founded in 1998, my family and I were so significant that we lost the business, our home, every other asset we owned and ended up with over $2 million in personal and business debt.

Rather than be beaten by the experience I started this blog, so that I could help others, particularly those in small-to-medium sized businesses, become more aware about data theft and ways in which they can reduce the chance of it happening to them.

If you think it won’t happen to you, you’re wrong, and it probably already has. If you've had an employee or business partner leave your business with your sales database, patient or customer list, rent or leasing list … any list or other IP you've experienced data theft. Sometimes it does not have a major impact on your business, but other times it could destroy your business and plunge you into debilitating debt virtually overnight.

The risk of data theft has grown in the last 10 years as a result of the trend of BYOD (bring your own device), Cloud-based computing and big data. Even the ubiquitous USB makes is dead easy for someone to walk out of your office with your business.

So, I’m sharing my knowledge, my story and the stories of others so that insider data thieves don’t get such a clear run and you can minimise the opportunity they have to ruin your business and possibly your life.

Ex-Citadel Employee Gets Three Years for Data Theft

Andrew Harris, Bloomberg

USA - A former Citadel LLC employee who admitted stealing data from the Chicago-based investment firm as well as high-frequency trading computer code from a New Jersey company was sentenced to three years in prison.

Yihao “Ben” Pu, who was charged in 2011, pleaded guilty in August to stealing proprietary information from Citadel in 2011 and to an earlier theft of trade secrets from Red Bank, New Jersey-based Tradeworx Inc.

Pu, 27, apologized to both companies as U.S. District Judge Charles Norgle in Chicago handed down the punishment today. He told the judge the thefts were “the most regrettable actions” of his life.

“I’ve paid a price for this case, personally, professionally, financially,” Pu said.

Citadel, founded by billionaire Kenneth C. Griffin, manages more than $24 billion, according to its website. Pu worked for the firm as a quantitative financial engineer from May 2010 to August 2011.

Prosecutors sought a sentence from seven years and three months to nine years, citing the loss to the two firms. Citadel said in a letter to Norgle that the firm had spent more than $10 million on research and development of its stolen data.

Pu’s lawyers said the companies lost no more than $2,000. Norgle concluded that the loss was around $12 million total. Pu must surrender to prison by May 1.

Obstructed Probe
A co-defendant, Sahil Uppal, who in August pleaded guilty to obstructing a criminal investigation, was sentenced today to three month’s probation. Pu and Uppal worked together at Tradeworx before joining Citadel four months’ apart in 2010. By the time he’d arrived at the firm, Pu had taken code from Tradeworx, he told the court at his August plea. Uppal admitted he wrote code for Citadel, then secretly transfered it to a computer he and Pu used. In August 2011, Citadel officials confronted Pu with suspicions he’d stolen data and told him to return it. Uppal and a person who wasn’t identified later removed computer hardware from Pu’s apartment, including hard drives with the firm’s confidential information, Assistant U.S. Attorney Lindsay Jenkins told Norgle during Uppal’s August hearing.

The two must repay Citadel a total of almost $760,000 to cover the cost of its investigation, the judge said.

Katie Spring, a Citadel spokeswoman, declined to comment on the sentences. Tradeworx didn’t immediately respond to a voice-mail message.

The case is U.S. v. Pu, 11-cr-00699, U.S. District Court, Northern District of Illinois (Chicago).

Morgan Stanley reveals theft of client data by insider

by Tom Braithwaite, Financial Times

Morgan Stanley said that up to 10 per cent of its wealth management clients had their account information stolen by an employee who may have been looking to sell it.

The US bank’s wealth management arm has about 3.5m clients. An employee “briefly” published to the internet the account names and numbers of about 900 of those clients.

The employee was fired and the incident reported to law enforcement and regulators, Morgan Stanley said, adding that there was “no evidence of any economic loss to any client”. The Federal Bureau of Investigation has been notified.

A person familiar with the matter said the employee was a financial adviser named Galen Marsh, a 30-year-old based in New Jersey. The Wall Street Journal first reported his identity.

The person familiar with the matter said Morgan Stanley believed Mr Marsh was attempting to sell the data. However, Mr Marsh denies this.

Robert Gottlieb, a lawyer at Gottlieb & Gordon, who is representing Mr Marsh, said: “This is an employment matter between Mr Marsh and Morgan Stanley. He has acknowledged that he should not have obtained the account information and has been co-operating with Morgan Stanley to protect the firm and its customers. To be clear, Mr Marsh did not sell nor ever intended to sell any account information. He did not post account information online. Nor did he share any information with anyone. Nor use it for any financial gain. He is devastated by what has occurred and is extremely sorry for his conduct.”

The data breach is large: Morgan Stanley operates the second-biggest wealth management operations in the US, behind Merrill Lynch, and serves the equivalent of more than one in 100 Americans, who use brokerage accounts to trade stocks and bonds.

But it is dwarfed by several big data breaches in 2014, including the 76m households affected by a hacking incident at JPMorgan Chase, the nation’s largest bank by assets.

In that incident, which is believed to have been perpetrated by outside computer hackers, JPMorgan disclosed in October that contact details, but no account numbers or social security numbers, were compromised.

The Morgan Stanley theft shows the difficulties financial institutions have in securing their data against internal threats. 

Companies have made progress in securing the “perimeter” of their computer systems, according to security companies, but have struggled to reduce the opportunities for employees to steal potentially valuable data.

“The data stolen does not include account passwords or social security numbers,” Morgan Stanley said in a statement. “The firm is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures including fraud monitoring on these accounts.”

Shares in Morgan Stanley were down 3.1 per cent by the close in New York.

Morgan Stanley discovered the published account information on December 27 during routine scans of the internet, according to a person familiar with the matter, who said it had received “virtually no hits”.

“Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident,” the bank said.

Getting larger in wealth management has been a big — and apparently — successful gamble by chief executive James Gorman in an attempt to move Morgan Stanley away from riskier fixed income trading and towards a more reliable source of revenues.

Last quarter Morgan Stanley’s wealth management arm made $3.8bn in revenues and pre-tax income of $836m. It employs more than 16,000 financial advisers.