We read with interest a recent article written by PPD Editor Aidan Goldstraw and published on the PPD website.
The piece is considered and contains a concerning revelation, plus food for thought on how business owners need to protect valuable data and confidential company information. We do not feel the need to make further comment, so with the permission of PPD we publish the article in full below.
Security is priority for businesses by PPD Editor Aidan Goldstraw
Some weeks ago, thousands of people in the promotional products industry received the new BPMA magazine.
Two people, in particular, were very surprised to receive that publication – neither had ever signed up to receive correspondence from the BPMA, nor were they involved in the industry in any shape or form. Their addresses had, in fact, been used – with their consent – as ‘seeds’ in a Customer Focus mailing list; deliberately unique information used as a ‘fingerprint’ to protect valuable data.
The implication of their receiving the magazine was very clear; somehow, this list of recipients had been used by the BPMA for its magazine mailing.
Looking at the wider picture, how much of a problem is data theft? A company director called Bill shared a typical problem on the UK Business Forums website…
“Two ex-employees of ours have left the company, taking with them copies of customer data and company documents. They are offering our existing services at a reduced cost to the customer, but they are working through the customer list stolen from our company. “Our employee contracts do have restrictive covenants in place whereby an ex-employee cannot work within the same sector of business within six months of them leaving. The contracts also include provisions for data ownership and data rights – all data provided and obtained by staff on company time is the sole property of the company etc.”
You’d have thought this was a fairly straightforward case – indeed, the first response to Bill’s post advised him to go to the police: “After all, all theft is a criminal offence.” However, others were less optimistic: “Unless you have a six-figure sum available to spend, and limitless time to devote to this, then just let them get on with it. Unless your restrictive clause is 100% perfect, then you may even find that it is held not to be enforceable.”
Bill reported back: “The police are not interested in data theft – they advised us to seek legal advice, as they insist it’s a civil matter. “I’m absolutely astonished at the lack of help and protection available to a company in this type of situation – all the support and advice seems to be heavily in favour of employees.” Bill added that the response from his solicitors was ‘not very encouraging’. “They insist it will take time for the legal process to become enforceable.” Meanwhile, his company was continuing to lose customers on a regular basis to its erstwhile employees.
Of course, contact lists are not the only targets for data theft. Others include financial data (including bank accounts and credit cards), computer system credentials, including passwords and security certificates, personnel data and software source code. As long ago as 2009, the Irish division of law firm Grant Thornton was warning that data theft had reached ‘epidemic proportions’. In a leaflet offering advice on the issue, Grant Thornton observed: “The development of ever higher-capacity portable data storage devices, such as USB pen drives, has made it almost trivially easy to copy large quantities of data from almost any computer.”
Even seemingly innocuous devices such as MP3 players and digital cameras can be used to steal data – and the threat is not confined to current or former employees. Many companies use external contractors, who may need to be routinely granted temporary access to your systems or data for completely legitimate reasons. And then there is the ever-present shadow of the external hacker, breaking their way into systems, for financial gain or even just the ‘challenge’.
So what can be done? As usual, prevention is always better than cure in these cases. Limiting the ability to copy is a key element in the battle. Do users really need to have access to their computer’s USB ports? It’s possible to restrict access either through software or with security covers. Similarly, removing CD-burning drives from most computers should be a standard step – thankfully, these days, fewer and fewer machines come with optical drives anyway.
Those in charge of your email systems have a vital role to play. Many companies impose a limit of around 10mb for email attachments – this restriction is not only sensible to prevent system overloads, it can also be a useful security measure. Monitor your systems for unusual, regular email activity – and don’t neglect the risk of websites designed to transfer large files, such as WeTransfer and BigMail.
Finally, what about that printer? Change the security settings on key documents so they can’t be printed, consider installing CCTV cameras by the printer – even maybe placing all printers in a secure room with limited, monitored access.
As far as the employees themselves are concerned, make sure that enforceable ‘non-compete’ contracts are in place – but conversely, don’t make them so onerous that a judge will overturn them as unreasonable.
So let’s assume the worst has happened. Data has gone, and you have substantive proof. What are your options? As in Bill’s case, the current view taken by an already-overstretched police force would seem to be that it’s a civil matter. That may not be technically correct, but the chances of involving the police, unless your name is Hugh Grant, appear minimal. So, it appears your legal team will have to talk to their legal team. Getting something settled out of court is obviously the cheapest option – but dependent on the other party’s response, the next stop may be to seek an injunction while the courts sort it out and arrive at a decision.
The flip-side, as Bill found out, is that you may end up wasting more time and money than the original problem is worth – so think carefully before you get in too deep.
One thing’s for sure, this problem isn’t going away any time soon – and businesses of all types and sizes need to be on their guard.
As for Customer Focus’s own experience, lawyers have been instructed.
Published on: August 11th, 2015