Saturday 4 April 2015

DATA THEFT - Who can help? Very few.

Your data has been stolen. In a way you’re one of the lucky ones, you've found out that your data was stolen and you might even have proof! So what do you do next, who do you call to stop it being used and bring the perpetrator to justice.

Let’s run through some likely options:
  • You call your lawyer if you have one. If not you need to find one who understands data theft and can advise you. Good luck.

    If you do find one they will ask to see the employees contract, partnership agreement or whatever agreement the thief had been engaged under.

    They’ll provide their advice as to whether your contract was clear enough in relation to Data, access, and use (and it’s probably not that good). In my experience, very few contracts adequately cover data theft.

    They might even suggest writing a legal letter to the person requiring the return of the information, threatening further action and the like.

    To get to this point has probably taken 1-2 weeks and cost you between $5,000-$12,000.

  • You call the police. Alas, they’re not interested because it’s a commercial matter. They advise you to call ASIC, the Australian Security and Investment Commission or the Office of Fair Trading.

  • You call ASIC. They are polite but let you know theft of this nature is not within their remit and advise you to call the Police.

  • You call the Privacy Commissioner. They also inform you that they are not responsible for enforcing the law. Depending on the annual turnover of your business you may also have woken another monster. If your TO is over $3mil then guess what, you may also be liable to a fine from the Privacy Commissioner. Oh, by the way. The legislation covering you getting fined does not cover the thief, he's entitled to a get out of jail free card. You see in the OAIC's interpretation of security over personal information, it is the business owners responsibility, not the thieves.

  • You call the Office of Fair Trading. They can’t help, although they are sympathetic and tell you that they’re getting more and more calls about this every day. They suggest you guessed it, the Police.

  • You go back to your lawyer, or the specialist your lawyer has put you on to discuss progress in relation to the letter that has been sent. Nothing. The lawyer tells you it’s unlikely you’ll be able to successfully sue the person and that if you wanted to it would take at least a year and might cost anywhere between $80,000 to $500,000.

In the end, you have to make the call. Your customers/clients/patients are not returning/making appointments, your staff is feeling the pressure, your suppliers are not being paid as regularly as they use to be, your staff/contractors are also not getting paid on time, you are falling behind on your rent.

You elect not to pursue the thief as you need to focus on your business. Depending on the extent and damage caused by data theft this may not be so easy. Many businesses just close down.

If you do decide to proceed against the thief in the district or supreme court and your contracts aren't absolutely explicit on who owns the data then prepare yourself for disappointment. A recent case that ran for four years in the Supreme Court returned a decision in favour of the thief. There will be more on this case in a coming article.

Who can help you? Well, you can by recognising the importance of employment contracts that include the necessary clauses in relation to the ownership, use, access levels of the Company’s information and the agreed value of this information. Yes, that's right you have to quantify the value of the information or agree a formula in the agreement on how to determine the value. Your privacy policy with customers and relevant indemnities for any breach of the agreement and or your privacy policy also have to be included in the agreement.

Your employee/contractor will need to sign a clause that he has sought legal advice prior signing the agreement, he will need to initial each paragraph in the agreement that refers to ownership of data and or IP, the indemnity clause to cover any loss or damages caused by any breach of your agreement, another clause that they have read, understand and agree your privacy policy and very importantly they agree in advance to any changes during the term that may be required for the privacy policy to meet state and federal requirements. They will need to sign your agreement and your privacy policy in front of an independent witness(s).

You can also take computer security more seriously and invest in a data security review and implement the recommendations.

Will all of this stop a determined data thief? The answer is no it won't. However it will assist you in any legal action, particularly injunctive relief to stop them using your data.

If your bottom line is immediately effected by data theft (example a medical or health related practice) then your only hope is an injunction to stop use. For this you will need a minimum of $50,000 up front and an ability to offer surety over the thief's costs. If your contracts don't stack up on the rights over data and most don't, you'll lose.

Example: If an insider collects the business cards of your customers whilst working in your premises for a couple of years, sends change of address emails/SMS's alerting those persons he is now working for a competitor and then resigns from you two days later, according to the Supreme Court that's all on the up and up. In this particular case, after rushing the hearing the judge took 14 months to hand down his decision in favour of the insider. It must be our convict heritage . . . or am I missing something.

If you need assistance with your agreements we can help point you in the right direction.