May 9, 2017

Data Security – Show Pony Group Pty Ltd v Black Swallow Boutique Pty Ltd & Ors

Data Security

Show Pony Group Pty Ltd (“ShowPo”) has settled a dispute with competitor Black Swallow Boutique Pty Ltd (“Black Swallow”) and two individuals, Mr Alexander Baro (chief executive of Black Swallow) and Ms Melissa Aroutunian (a former graphic designer for ShowPo), over the alleged theft of ShowPo’s contact database.

The case highlights the risks of unauthorised use and disclosure of confidential information. It also reveals that sometimes the greatest threat comes from within.

Details of the ShowPo case

ShowPo, a hugely popular online women’s fast fashion retailer, commenced proceedings in the Federal Court of Australia in mid-November 2016. It was alleged that the former employee, Ms Aroutunian, downloaded a copy of  ShowPo’s Client Contact List before leaving ShowPo and provided a copy of that list to Black Swallow. According to court filings, the database contained contact information for all of ShowPo’s customers, competition entrants, suppliers and other contacts. It was estimated that the database contained around 306,000 entries.

ShowPo was successful in obtaining an interim injunction (a temporary court order made subject to the subsequent trial of the proceedings) to prevent the three respondents from using or disclosing the Client Contact List.

The proceedings then headed to Mediation, following which the case was finalised by agreement between the parties.

According to the final orders, dated 24 March and 10 April, each of the respondents is permanently restrained from using or disclosing the Client Contact List, and Black Swallow has been ordered to pay $60,000 in compensation to ShowPo over instalments.

The customers of a business are its lifeblood, and their information is increasingly being obtained and stored online. So, what measures can be taken to protect this essential and sensitive information from unauthorised breach? And what can you do if a breach occurs?

Basic Data Security

It goes without saying that effective password management and data security measures are key steps in protecting any sensitive data.

Ask yourself these questions:

  • Do only those employees who need access to the data have access? Do your entry level staff need admin level access? In most cases, not all data needs to be known, accessible or editable by every person in the business. Work with your IT/software provider to restrict unnecessary access.
  • Is your data secured on the move and at rest? Use industry standard encryption (eg https) to protect data transactions and ensure your data is encrypted whenever it’s stored.
  • Are strong passwords being used? Everyone knows that “Password1234” is not secure. But do your staff or your business use their birthdate, street address, family members’ names or a similar formula to choose a password? Do they change passwords by incrementing a digit at the end? Do they use the same work password for their social media account? Consider training your staff to use a reputable password manager to generate unique passwords for each account or implement mandatory lengths of time when your staff need to change their system passwords.
  • Are system passwords being stored securely by staff? Do your staff share passwords with each other? Do they allow others to use their accounts? – Hint: Passwords should not be scribbled on a post-it note and stuck to your computer monitor! If everyone knows Johnny’s password, then everyone can use his account with impunity. Using a reputable password manager can even allow the business to generate secure passwords and grant access to the system without even disclosing the password to the employee.
  • When an employee leaves, is their account access immediately suspended and the password reset? Do your staff contracts contain confidentiality provisions, and do you remind them of their obligations post-termination? Even if you part with an employee on good terms, leaving the gate open is never a good idea.
  • Does your staff know what to watch out for to avoid falling victim to scam or phising emails?  Consider training your staff on how to identify illegitimate emails by visiting www.scamwatch.gov.au.
  • Does your system log user’s access and activities? Do you get automatic alerts if unauthorised access occurs? Server access logs are vital evidence if the worst should happen.
  • Are your devices and those used by your staff secure? You wouldn’t leave the house without locking up: Don’t leave your desk (or your smartphone) without doing so! Physical and digital security is critical. Keep all your systems patched with the latest manufacturer and vendor updates.
  • Are all your eggs in one basket? Backups, backups and more backups. Ensure they are kept securely too, to guard against deletion, data corruption, and ransomware or cryptoware attacks. Backups also allow you to resume or continue business operations more quickly in the event of a disaster.

In case of emergency…

Knowing what to do if a breach occurs can make the difference between swift recovery and absolute disaster.

  • Consider engaging a data security consultant to develop a disaster management plan – you’ll need to manage both your IT and your PR.
  • Train your staff to be security conscious and identify and report risky and suspicious behaviour.
  • Know how to lock down access to the system to prevent further breach. Continuing to operate on a compromised system can be risky.
  • Know how to quickly obtain your evidence and act quickly as soon as you discover a breach. As in the ShowPo case, in some circumstances with quick action it is possible to obtain interim court orders to protect your position before the horse has bolted.

References

Show Pony Group Pty Ltd v Black Swallow Boutique & Ors (Federal Court of Australia, File No. NSD1984/2016) [ https://www.comcourts.gov.au/file/Federal/P/NSD1984/2016/actions ]

If you have concern’s over the security of your client data contact Rouse Lawyers today to discuss how we can assist you.