Legal challenges arising from data loss

It’s horrible for any organisation to contemplate the possibility of data loss.  Organisations collect and create a variety of data that includes personal, confidential and proprietary information (Intellectual Property).  In many instances, loss of this data can be terminal for the organisation.  Losses can be economic and reputational and can be thought of coming from two (2) distinct sources, external or internal.

Source of risk

External data loss

In the classic third party hacking event, the responsible party can be anywhere from in the same building to any part of the world.  That said, in tracking the culprit investigators should not overlook suppliers to the organisation and their staff who may have sought to profit.  Competitors can be another often overlooked external source when it’s easy to blame distant third parties.   In either case, in pursuing a legal remedy, the issue is always about identifying the perpetrator with sufficient precision and admissible evidence to satisfy a Court of the perpetuator’s guilt.  In this case, there may be remedies to be pursued under both the criminal and civil law.

Internal data loss

Perhaps a more prevalent source of data loss, which often goes unnoticed in services based enterprises, is the departing employee or contractor.  The sharing economy coupled with the ease upon which data can be ‘transferred’ is quite daunting.

It is not a defence for an employee that they wrote something, or those contacts were ‘mine’ as it is all too often retorted.  If an employer pays someone to work (and they are an employee at law), their output belongs to the employer, as are any contacts that they may make during the course of your employment.  Each case turns on its own facts of course, however, this general rule is a good place to start for employers.

The legal risks for the organisation will depend on what industry the business operates in and the data that is able to be accessed.  Organisations that have specific statutory obligations such as those in the health and medical, legal, and financial services industries generally have more onerous compliance obligations.

Practical protection measures

There are of course many practical measures that can be implemented to limit loss of data caused by internal sources.  Johann Koelmeyer’s article entitled “Intellectual Property Theft: Even your company is vulnerable” identifies many issues for loss of data that can, in part be addressed by adopting some practical protection measures.

Surveillance of computer systems

One of the most practical things that any organisation can do is to conduct some sort of network surveillance.  Often described as ‘key stroke loggers’, network surveillance goes one step further and records all activity on persons computer, providing management with the opportunity to go back in time to determine what a user was doing at any particular point.  If there was any mischief going on, then the software will create admissible evidence of it.  Often times the activities of a departing employee will only come to light after they have left.

Practically, it is necessary to provide employees in many states of Australia with a ‘notice of surveillance’ to advise that their employer is monitoring their activities.  Many businesses find that such monitoring flushes out those employees that are abusing the ‘fair’ internet use policy by reading newspaper articles for hours per day rather than actually doing the work they are paid to do.  Surveillance also catches the ‘old chest net’ of ‘uploading to Hotmail’ or conversing with people on LinkedIn outside the scrutiny of the business.

One of the related benefits of surveillance software is that it creates admissible evidence that can be used to secure the organisations data after it has been lost.  The alternative forensic IT audit can be expensive and in some instances can be too late to capture the conduct complained of.

Employment contracts

It seems that more and more employment contracts are including clauses to contemplate data loss through social media.  Consider the situation where a key staff member is involved in sales and creates connections on Linkedin during their employment.   Who owns those connections when all that has to be done after the employee resigns and commences with a new employer is to add a new job to LinkedIn?  A prudent organisation considers this before the employee starts and not after they leave.

Policies

Policies adopted by organisations can also have an impact on data loss depending on the nature of the organisation’s activities.   Privacy policies and physical controls such as ensuring that all ‘backups’ that are offsite are encrypted are some of proactive steps which can be taken to protect organisations that security experts such as Johann Koelmeyer have in their toolkit.

Port blockers

For those businesses that need to protect their data, the thought of the wireless flash drive that can connect to up to eight devices should be alarming.  Depending on the nature of the business one answer could be to simply stop access to flash drives by installing port blockers (pictured above).   This also has the benefit of limiting the possibility of introducing viruses to the network via USB.  All that needs to be done is to charge one or more responsible persons with the responsibility of recording all requests for access via USB, unlocking the respective port and watching its use. The downside is of course that this may create delay.

The USB in my view is the modern day equivalent of the Trojan horse.  One matter that we were involved with where it was alleged that the CEO had taken the client list and other intellectual property showed after a forensic investigation that seven different USB’s were inserted into a laptop over two days, in the week prior to the announcement of their resignation.   There’s a legal remedy in these situations called an Anton Piller order (a civil search warrant).   The legal issue is that the standard of evidence that a Court requires is quite significant.

Mandatory data breach notifications

The Privacy Amendment (Notifiable Data Breaches) Bill 2016  (Bill) was introduced to Parliament on 19 October 2016.  Once enacted, the Bill will insert new sections 26WA, 26WL and 26WR into the Privacy Act 1988 (Cth) (Act) that will make it mandatory for certain entities to notify affected individuals in the event of a data breach (Data Breach).  The Bill states that a Data Breach occurs when:

• there is an unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
• the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

Effected entities are those with an annual turnover of $3 million or more, or certain small business that provide a health service, are a credit reporting body, or trade in personal information.

The changes are intended to give at risk individuals more timely opportunities to take personal action in changing their passwords and other information before their personal information can further be compromised. It is also anticipated that the mandatory notification requirement will provide entities with a strong incentive to improve security standards relating to personal information.

Evidence

Practically whether the source of the data loss be internal or external, adducing admissible evidence against the perpetuator in support of a claim to protect the data is perhaps the biggest issue.   If the information lost is confidential in nature, the law of equity will generally intervene, however in this case it’s a classic example of “prevention being better than cure”.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)

Further information about data loss

If you need advice on limiting liability associated with a data loss, or would like to understand your legal options to protect against it, please contact me for a confidential and obligation free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

Related insights about data loss