It’s horrible for any organisation to contemplate the possibility of data loss. Organisations collect and create a variety of data that includes personal, confidential and proprietary information (Intellectual Property). In many instances, loss of this data can be terminal for the organisation. Losses can be economic and reputational and can be thought of coming from two (2) distinct sources, external or internal.
Source of risk
External data loss
In the classic third party hacking event, the responsible party can be anywhere from in the same building to any part of the world. That said, in tracking the culprit investigators should not overlook suppliers to the organisation and their staff who may have sought to profit. Competitors can be another often overlooked external source when it’s easy to blame distant third parties. In either case, in pursuing a legal remedy, the issue is always about identifying the perpetrator with sufficient precision and admissible evidence to satisfy a Court of the perpetuator’s guilt. In this case, there may be remedies to be pursued under both the criminal and civil law.
Internal data loss
Perhaps a more prevalent source of data loss, which often goes unnoticed in services based enterprises, is the departing employee or contractor. The sharing economy coupled with the ease upon which data can be ‘transferred’ is quite daunting.
It is not a defence for an employee that they wrote something, or those contacts were ‘mine’ as it is all too often retorted. If an employer pays someone to work (and they are an employee at law), their output belongs to the employer, as are any contacts that they may make during the course of your employment. Each case turns on its own facts of course, however, this general rule is a good place to start for employers.
The legal risks for the organisation will depend on what industry the business operates in and the data that is able to be accessed. Organisations that have specific statutory obligations such as those in the health and medical, legal, and financial services industries generally have more onerous compliance obligations.
Practical protection measures
There are of course many practical measures that can be implemented to limit loss of data caused by internal sources. Johann Koelmeyer’s article entitled “Intellectual Property Theft: Even your company is vulnerable” identifies many issues for loss of data that can, in part be addressed by adopting some practical protection measures.
Surveillance of computer systems
One of the most practical things that any organisation can do is to conduct some sort of network surveillance. Often described as ‘key stroke loggers’, network surveillance goes one step further and records all activity on persons computer, providing management with the opportunity to go back in time to determine what a user was doing at any particular point. If there was any mischief going on, then the software will create admissible evidence of it. Often times the activities of a departing employee will only come to light after they have left.
Practically, it is necessary to provide employees in many states of Australia with a ‘notice of surveillance’ to advise that their employer is monitoring their activities. Many businesses find that such monitoring flushes out those employees that are abusing the ‘fair’ internet use policy by reading newspaper articles for hours per day rather than actually doing the work they are paid to do. Surveillance also catches the ‘old chest net’ of ‘uploading to Hotmail’ or conversing with people on LinkedIn outside the scrutiny of the business.
One of the related benefits of surveillance software is that it creates admissible evidence that can be used to secure the organisations data after it has been lost. The alternative forensic IT audit can be expensive and in some instances can be too late to capture the conduct complained of.
Employment contracts
It seems that more and more employment contracts are including clauses to contemplate data loss through social media. Consider the situation where a key staff member is involved in sales and creates connections on Linkedin during their employment. Who owns those connections when all that has to be done after the employee resigns and commences with a new employer is to add a new job to LinkedIn? A prudent organisation considers this before the employee starts and not after they leave.
Policies
Policies adopted by organisations can also have an impact on data loss depending on the nature of the organisation’s activities. Privacy policies and physical controls such as ensuring that all ‘backups’ that are offsite are encrypted are some of proactive steps which can be taken to protect organisations that security experts such as Johann Koelmeyer have in their toolkit.
Port blockers
For those businesses that need to protect their data, the thought of the wireless flash drive that can connect to up to eight devices should be alarming. Depending on the nature of the business one answer could be to simply stop access to flash drives by installing port blockers (pictured above). This also has the benefit of limiting the possibility of introducing viruses to the network via USB. All that needs to be done is to charge one or more responsible persons with the responsibility of recording all requests for access via USB, unlocking the respective port and watching its use. The downside is of course that this may create delay.
The USB in my view is the modern day equivalent of the Trojan horse. One matter that we were involved with where it was alleged that the CEO had taken the client list and other intellectual property showed after a forensic investigation that seven different USB’s were inserted into a laptop over two days, in the week prior to the announcement of their resignation. There’s a legal remedy in these situations called an Anton Piller order (a civil search warrant). The legal issue is that the standard of evidence that a Court requires is quite significant.
Mandatory data breach notifications
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Bill) was introduced to Parliament on 19 October 2016. Once enacted, the Bill will insert new sections 26WA, 26WL and 26WR into the Privacy Act 1988 (Cth) (Act) that will make it mandatory for certain entities to notify affected individuals in the event of a data breach (Data Breach). The Bill states that a Data Breach occurs when:
- there is an unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
Effected entities are those with an annual turnover of $3 million or more, or certain small business that provide a health service, are a credit reporting body, or trade in personal information.
The changes are intended to give at risk individuals more timely opportunities to take personal action in changing their passwords and other information before their personal information can further be compromised. It is also anticipated that the mandatory notification requirement will provide entities with a strong incentive to improve security standards relating to personal information.
Evidence
Practically whether the source of the data loss be internal or external, adducing admissible evidence against the perpetuator in support of a claim to protect the data is perhaps the biggest issue. If the information lost is confidential in nature, the law of equity will generally intervene, however in this case it’s a classic example of “prevention being better than cure”.
Links and further references
Legislation
Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)
Further information about data loss
If you need advice on limiting liability associated with a data loss, or would like to understand your legal options to protect against it, please contact me for a confidential and obligation free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Related insights about data loss
-
Federal parliament passes cyber security laws
On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024. The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.
-
Uber breaches Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
Ransomware Payments Bill 2021 (Cth)
Australian government proposed the Ransomware Payments Bill 2021 (Cth) (Bill) to enforce mandatory reporting of ransomware payments. Penalties of up to $110,000 for non-compliance.
-
Data breach compliance and data breach response plans
Dundas Lawyers create tailored data breach response plans to ensure compliance with the Privacy Act 1988 (Cth). Plans include actions, registers, records, tests and tasks. Get an obligation-free and confidential discussion to learn more.
-
Explaining the Media Bargaining Code
The News Media Bargaining Code (NMBC) is quickly moving through Parliament and looks likely to become law. It requires digital platforms, such as Facebook and Google, to negotiate remuneration with News Companies for providing their media services. Non-compliance could result in hefty civil penalties.
-
Marketplace terms and conditions – legal issues
This article explores essential terms and considerations for building marketplace terms and conditions, including establishing the position of the platform operator, user accounts, payment options, intellectual property, disclaimers, liability, indemnities, and the Australian Consumer Law.
-
OAIC Notifiable Data Breaches report – July 2020
The OAIC’s Notifiable Data Breaches Report reveals 518 data breaches reported by eligible entities in the first half of 2020. Learn more about the types of personal information involved, the highest reporting sector, and the key takeaways from the report to protect your data.
-
Proposed standards for online safety
The Australian Government has proposed an Online Safety Act that could significantly change the way businesses manage user-generated content online. Find out how this proposed Act could affect your business and how you can prepare for it.
-
Abhorrent violent material prohibited
Organizations hosting abhorrent violent material, such as terrorism, murder, torture, rape and kidnapping, now face hefty fines under the Criminal Code Amendment Act 2019 (Cth), up to 50,000 penalty units or 10% of annual turnover.
