Data Theft Australia Senator The Hon George Brandis SC Deputy Leader of the Opposition Shadow Attorney General Level 7, PO Box 6100 50 King Street Senate Sydney NSW 2000 Parliament House Canberra ACT 2600 Phone +61 4 1870 0054 www.datatheft.com.au By email:
[email protected] August 12, 2013
Dear Senator; RE: Proposed Privacy Amendment (Privacy Alerts) Bill 2013 The challenge for any business is that limiting user access to sensitive data is not a viable strategy to preventing data theft. Employees, sub-contractors (example health workers) across most industries need access to view and change critical data to perform their everyday job functions. An insider cannot be charged by Police or any other authority for data theft. Identity theft is only a fraction of the problem and cost to the community when compared to insider data theft. Data theft by insiders is affecting thousands of businesses and costing business owners, their employees and their families billions of dollars each year and this doesn't include the knock on effect to other parts of the community. The allure of the black market, for some insiders, will eventuate in personal data being passed to identity thieves. Identity theft on any major scale will originate from insider data theft and the medical industry is one of the most susceptible given the information contained in a patient record and access requirements for workers to meet their job requirements. In fact, on the black market in the USA, medical records are more valuable than a social security number. According to Dr. Deborah Peel of Patient Privacy Rights, it costs just 50 cents to a dollar to buy a social security number, but $14 to $24 to buy someone’s private medical details. It is not uncommon in some industries for even a small business to have many thousands of customer records. In the case of a small to medium size private medical practice this could easily be 30,000 patient records or more. An on line sales business may have hundreds of thousands of customer records. What does the business owner do if they suspect an employee has stolen customer or patient records? Do they assume the whole data base has been breached and contact every customer or patient? The resource costs alone for a small business to notify every customer or patient and then deal with the fallout and enquiry that follows will likely devastate the business
financially. This is on top of the immediate effect insider data theft has on business earnings. For many businesses their customer or patient list is their most valuable asset and the primary source revenue. Business owners can't rely on Police, The Privacy Commissioner, APHRA, HCCC, ASIC, Fair Trading or any other authority to investigate insider data theft. Their response to data theft reports to date is that it is commercial matter to be dealt with in the civil courts. The prospects of a small business being able to fund a protracted litigation are virtually nil following insider data theft. If an insider embezzled in cash an amount equal in value, of in many cases a business's most valuable asset [customer database], they would likely be spending a number of years in gaol. Removing customer information without the authority of the customer and the business owner is theft and often, just like stealing cash, has an immediate financial impact on the business and everybody who works in the business and their families. The Amendment Bill is a double whammy for business owners who cannot even insure against the risk of insider data theft and losses to their business, the theft and the impost of the Bill’s requirements will have, entirely due to lack of legislative powers for any authority to charge insiders. Even the most secure of systems is susceptible to data theft due to employee access. It is the misuse of access by insiders that is the issue and rarely ever the business owners’ negligence to provide suitable security over what is often their most valuable asset. It is essential that any proposed amendment to the Privacy Act provides authorities legislative powers for Police to prosecute insider data thieves.
Yours faithfully
Brad Robinson Data Security Consultant
[email protected] +61 4 1870 0054
Attachment (next page): Actual Example of repeated data thefts in one Sydney CBD organisation The organisation has the best available security over its data base Job function requires employees to have access to critical customer information In each case access was abused by employees to steal customer identifying information