24. November 2009 · Comments Off on Massive T-Mobile UK trade secret theft perpetrated by insider · Categories: Breaches, Data Loss Prevention, Trade Secrets Theft · Tags: , , ,

Last week T-Mobile UK admitted to the theft of millions of customer records by one or more insiders. These customer records which included contract expiration dates were sold to T-Mobile competitors or third party brokers who "cold called" the T-Mobile customers when their contracts were about to expire to get them to convert.

While this is a privacy issue from the customer perspective, from T-Mobile's perspective it's also theft of trade secrets.

And this is about as basic as theft of trade secrets gets. According to the article in the Guardian, in the UK this type of crime is only punishable by fine, not jail time, although the Information Commissioner's Office "is pushing for stronger powers to halt the unlawful trade in personal data…"

So if you steal a car, you can go to jail, but if you steal millions of customer records, you can't. Clearly the laws must be changed. Or, not being a lawyer, I am missing something.

Based on some research I've done, the same is true in the United States, i.e. no jail time. Here are some good links that cover trade secret law in the US:

Regardless of the laws and their need for change, organizations must invest in trade secret theft prevention appropriate to the associated level of risk.

Let's take a look at the components of Risk – Threat, Asset Value, Likelihood and Economic Loss -  in the context of trade secret theft.

The overall Threat is increasing as the specific methods of theft of digital Assets constantly evolve. Economic loss, depending on the Value of the trade secret Asset, can range from
significant to devastating, i.e. wiping out much or all of an organization's value.

It's hard to imagine the Likelihood of theft of any trade secret in digital form could ever be rated as low. Unfortunately we do not have well accepted quantitative metrics for measuring the degree to which administrative and technical controls can reduce Likelihood.

Therefore trade secret theft risk
mitigation is really a continuous process rather than a one time effort. New threats are always appearing. New administrative and technical controls must constantly be reviewed and where appropriate implemented in order to minimize the risk of trade secret theft.