Who is at risk of data theft?

Everyone who owns a business that involves the collection and management of data – well that’s just about everyone in business these days – is at risk of data theft. For example: a real estate agent has a list of potential buyers, clients with houses to sell, properties they manage (Rent Roll) etc. Imagine if one of the agents took any of these lists, let alone all three.

Another example: a medical practice that has patient files, not just the patient’s contact details but their medical records. Any insider with access to these files could remove or copy them and take them out of the business and use them to set up a new practice or use the files to negotiate a position with a competitor. Can’t happen you say, the law would stop them. No it won’t, and it does happen, it happened to me.

One more example: An online training business/consultancy. One of the trainers, who might even be a contractor, gets authorised access to the businesses database of clients AND their learning tools, copies them and sets up their own business. Can’t happen you say. It happens all the time, and it's next to impossible to stop them.

ALSO, under the Office of the Australian Information Commissioner's (OAIC) guidelines you are suppose to notify patients (or customers) their information may have been breached. What effect does this notification have on your business? You will get calls, many of them abusive, wondering what information was taken and how the thieves were able to breach your security. The breach notification actually causes additional harm to the businesses reputation and will very likely drive patients or customers away. The OAIC will do nothing to the thief however your business may also suffer the additional financial hit of a massive fine from the Privacy Commissioner.

I know you are thinking that's just not fair, that can't be right. In Australia my dear reader that is absolutely right, insider data thieves are absolutely immune from prosecution by any authority.

ANY business that relies on a database is at risk. If you are a small-to-medium sized business you’re actually more at risk as you simply won’t have the money, time or resources to pursue the person who stole the data, and every moment you spend on chasing them, that person is stealing your customers and your business.

And, this is even more important if you run your own small consultancy business. It may be just you and therefore you might feel safe. But who has access to your computer, who maintains your website, runs your EDM campaigns, does your marketing? Most of these tasks require access to your database – or can open an electronic door to your database. So you’re at risk to.

The best thing you can do, and really the only thing you can do, is be aware. And in the case of data theft be alert and alarmed as well.

There are things you can do to minimise the risk … recognising there is a risk is the first important step.

Data theft - what is it?

Data theft is when someone takes information (data) from you/your business without authority to do so. There is almost always the intention to use it for personal financial gain – to start up a new business or work in a business that is in competition to yours, on-sell the information to a competitor or encourage your clients/customers to purchase services or products elsewhere.

It’s important to understand that we’re talking about people who are in your business who may well have access to certain levels of data within your company right now. In fact, most employees need a certain level of access to data these days to undertake their jobs - job function. Once people have access to data, or the computers and hard drives that data is stored on, its not hard for them to copy it and steal it.

So, data theft occurs when a person in your business steals information from you. It’s like any other theft, it’s the theft of your data ‘your property’.

There’s a big difference with data theft and other types of property though. You’d know pretty quickly if your car, wallet, laptop, phone, credit cards were stolen and you’d be able to call on various people, the police, other authorities to prevent their use of it. With data theft, you probably won’t know that the data has been stolen until well after its walked out the door or been sent to another device.

And here’s the real challenge and problem.

After the employee has stolen your data assets its next to impossible to prevent them from using it, physically or through the courts. Data can be disseminated in literally seconds. Its gone baby and there is nothing you can do to stop it's use unless:
1. you can prove the culprit took it;
2. you have enough money to injunct the person to prevent them from using it;
and in Australia you'll need a big chunck of change and resources just to raise an injunction let alone provide surety over costs to the courts and the thief. That's right, the thief can ask the courts that you provide a guarantee over their costs to defend against your allegations and then use the financial gains they have made from the theft to defend themselves.

A very recent case took three years in the Supreme Court to get to hearing and another 14 months to get a decision from the Judge. The business from where the data was stolen lost their case and the thief and the competitor he took the data to have both prospered financially.

Data theft would have to be the biggest source of fraud in the world that is rarely successfully prosecuted … and the data thieves, particularly in Australia, know this.

So, if data is important to your business, you need to really start thinking about how you protect it (and I’m not talking about spam or standard security software here), how you store it, what levels of access you allow to it and how you monitor its access and use. And very importantly you have to be very aware of changes in employee attitudes toward you, staff and or the business.

Data Theft by Self-entitled or Disgruntled Employees

Why did I start this blog how will it help you?

A few of years ago I was the victim of systematic data theft by self-entitled employees not once but on five separate occasions and all within a relatively short period of time. On various occasions even my identity was stolen by these insiders.

The loss and damages to the business we founded in 1998, my family and I were so significant that we lost the business, our home, every other asset we owned and ended up with over $2 million in personal and business debt.

Rather than be beaten by the experience I started this blog, so that I could help others, particularly those in small-to-medium sized businesses, become more aware about data theft and ways in which they can reduce the chance of it happening to them.

If you think it won’t happen to you, you’re wrong, and it probably already has. If you've had an employee or business partner leave your business with your sales database, patient or customer list, rent or leasing list … any list or other IP you've experienced data theft. Sometimes it does not have a major impact on your business, but other times it could destroy your business and plunge you into debilitating debt virtually overnight.

The risk of data theft has grown in the last 10 years as a result of the trend of BYOD (bring your own device), Cloud-based computing and big data. Even the ubiquitous USB makes is dead easy for someone to walk out of your office with your business.

So, I’m sharing my knowledge, my story and the stories of others so that insider data thieves don’t get such a clear run and you can minimise the opportunity they have to ruin your business and possibly your life.