One of the biggest challenges of detecting, investigating and preventing workplace fraud, is the fact that there are so many types of fraud, including data theft. Each type of workplace fraud requires different methods of discovery and subsequent investigation procedures.

Our Types of Workplace Fraud series is designed to help you recognize various types of Workplace Fraud, and the best practices to minimize the risk of fraud on behalf of yourself and your clients.

In part 4 of our series on the types of Workplace Fraud, we help you understand detection and prevention measures for:

  • Asset Misappropriation
  • Corruption
  • Financial Statement Fraud
  • Intellectual Property, Identity and Data Theft

Data theft has emerged as a major concern as cybercriminals are going after critical data for greater leverage over companies. Internal threats are particularly harmful because they often:

  • Understand the weaknesses in an organization’s cybersecurity
  • Know the location and nature of sensitive data they can abuse

Workplace Data Theft

Data theft occurs in the workplace when an employee steals a company’s data for any nefarious or malicious purpose and to the detriment of the company.

Common schemes include:

  • Theft of Customer or Contact Lists
  • Trade Secret Theft
  • Theft of Personally Identifiable Information (PII)

Trade Secret Theft

According to the Economic Espionage Act of 1996, a trade secret is any confidential plan, formula, pattern, program device, technique, code, or collection of information that, once released, could potentially benefit a business. It may be written down, memorized, stored electronically, or be in the form of a graphic.

This type of data theft occurs when an employee sells the company’s data to outsiders for financial or personal gain. Data is typically sold to close competitors or highest bidders, who may want to either improve their product by adopting previously confidential designs or processes into their build, or prepare and adapt strategically to plans and decisions leaked early. The type of data stolen may include blueprints, data codes, recipes, or release plans for products.

Risks may involve:

  • Economic loss (time, effort, resources expended)
  • Losing competitive advantage

Theft of Customer or Contact Lists

This occurs when a departing employee copies or downloads lists of the company’s contacts to either sell or use. An ex-worker may use this information to solicit customers for another organization.

If it is just a basic contact list of customer contacts using e.g. work emails that are otherwise publicly available, the risk of reputational damage or legal action is moderate unless there were contractual obligations to keep your relationship private. The greatest risk is from the loss of customers if the other company begins to use that data to churn them away from you.

However, customer lists may include personally identifiable information, in which case this reputational and legal damage is much greater.

Theft of customer or contact lists may result in:

  • Reputational damage
  • Legal action
  • Financial loss

Theft of Personally Identifiable Information (PII)

Personally identifiable information is any personal information that could be used, on its own or in combination with other pieces of PII, to identify a specific individual. For example, a first name alone would not identify an individual, but a driver’s licence number, or a first name in combination with a postal address, would identify an individual.

Theft of PII involves an employee stealing or sharing sensitive information such as credit card numbers, client lists or other valuable PII to sell to other parties. This may be done to target them for marketing, or for more sinister purposes such as phishing scams or identity theft.

Regardless of why the data was stolen, keeping PII secure is generally considered part of an organisation’s obligations to ensure the privacy of customers, and thus PII security is the subject of an increasing amount of regulation.

Failure to secure PII could lead to:

  • Reputational damage
  • Legal action from customers
  • Regulatory action
data theft

Relevant Laws

In addition to company policies, organizations should adhere to relevant laws under their system to avoid costly risks associated with data theft. For example, in the UK, the General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens. 

While companies may think the GDPR does not apply to them because they do not have a location in the EU, the GDPR applies to any multinational companies that have any employees in the EU. Therefore, businesses even in countries such as Australia or the US are required to comply if they have an establishment in the EU or if they offer goods and/or services in the EU.

Similarly, the Privacy Act 1988 sets similar standards for data protection in Australia. This requires organizations to protect their customers’ personal information from risks such as :

  • theft
  • misuse
  • interference
  • loss
  • unauthorised access
  • modification
  • disclosure

The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:

  • implement a privacy by design approach to compliance
  • be able to demonstrate compliance with privacy principles and obligations
  • adopt transparent information handling practices

However, there are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.

All organizations in Australia with an annual turnover of more than $3 million, must comply with the Privacy Act. Organizations with an annual turnover of $3 million or less, may still be required to comply with the Privacy Act depending on their business type. For example:

  • private sector health service providers, including complementary therapists, gyms, weight loss clinics, child care centres and private education providers
  • businesses that sell or purchases personal information
  • contractors providing services under a contract with the Australian Government
  • credit providers/credit reporting bodies
  • residential tenancy database operators

Similarly, in the United States, the Federal Trade Commission requires companies to protect customer data under the Safeguards Rule. This protects against unauthorized access or use of information which could lead to substantial harm or inconvenience to the customer. 

Steps Forward

Fraud by its very nature involves deception making it extremely difficult to detect. In many cases, fraudsters get away with their activities for years.

Employees at any level of the organization may be capable of fraud. And an employee may commit fraud against his or her employer without committing any other type of illegal or unethical activity outside of their work life, making it difficult to spot someone who may commit occupational fraud before hiring them—which is an important distinction for HR team members to know. Additionally, data theft may be an act of opportunity with no warning signs. Therefore it is important to ensure you have a comprehensive data security program implemented.

Top strategies to prevent data theft may include:

  • Implementing Acceptable Use Policies and/or Data Classification and retention policy
  • Security permissions (adopt a ‘minimum permissions’ approach whereby employees have the bare minimum access they need to do their job)
  • Data Loss Prevention (DLP) Software
  • Email monitoring

As an employer, you should be prepared to deal with the theft of client lists or other important information. Having a clearly drafted confidentiality clause in your employment agreement will help you to enforce the clause. If an employee takes confidential information, you may need to:

  • protecting the information;
  • discipline the employee or terminating the employment; or
  • pursue legal action.

How Polonious Can Help You Investigate Data Theft

Virtually no organization is immune to data theft. Whether data breaches are caused by insider threats, a former employee with ongoing access, or external malicious threat actors, every business needs to take proactive measures to protect sensitive information.

All organizations should take steps within their means to proactively address prevention and detection in order to lessen the associated risks. Take a look at 8 Tips for Preventing Internal Fraud for risk management tips.

The Polonious SIU Case Management System (PCMS) brings enhanced case tracking, automation, and reporting to any investigation process, including internal fraud, security breach, or privacy complaint investigation. Using our digital expertise, we enhance investigation procedures and help you navigate the legal and organizational complexities of any investigation.

Additionally, our own data security is ISO27001 certified, meaning both that the way we handle our client data, and the way our software handles your investigation data, is certified to the strict international standards.