16 November, 2018
The Information Commissioner's Office (ICO) has successfully prosecuted a car repair worker for stealing customer data, resulting in the first jail sentence for an offence brought under the Computer Misuse Act 1990.
Mustafa Kasim, a former employee of Nationwide Accident Repair Services, pleaded guilty to a charge of securing unauthorised access to personal data between January 13 2016 and October 19 2016, at a hearing in September 2018 and was sentenced at Wood Green Crown Court.. He also admitted to accessing a software system that estimated vehicle repair cost estimates by using a colleagues log-in details, continuing to do so even after he had moved on to a new job which used the same software.
Suspicions came to light when Nationwide Accident Repair Services became aware of a marked increase in customer complaints regarding cold calls about their accidents, resulting in them contacting the ICO and aiding them in their investigations.
The head of criminal investigations at the ICO, Mike Shaw, explained the use of the Computer Misuse Act in this prosecution, rather than bringing it under the Data Protection Act 1998 which was in force at the time of the offence:
"People who think it's worth their while to obtain and disclose personal data without permission should think again. Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour. Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights. Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress.
The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again."
This prosecution marks an escalation from the ICO in regards to their enforcement of data protection, with previous prosecutions under the Data Protection Act 1998 (and future prosecutions under the Data Protection Act 2018) being limited to fines. The prosecution under the Computer Misuse Act, and the subsequent custodial sanction, shows a new chapter dawning in data protection regulation which will have undoubted consequences for both individuals who commit the breach as well as the organisations who employ them.
The importance of this ruling is compounded by the recent data breach case against Morrison's supermarket. In the UK's first data leak group action, the High Court ruled that supermarket chain Morrison's is liable for the actions of former employee Andrew Skelton, a decision upheld by the Court of Appeal and is now going forward to the Supreme Court. Skelton was a senior internal auditor at Morrison's who leaked payroll data and was subsequently jailed for eight years in 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data. Morrison's themselves were found to be vicariously liable for his actions, despite his criminality, and face large compensation pay-outs to the 5,000 Morrison's employees pressing the case against the supermarket.
Taken together these cases highlight the vulnerability organisations face with regards to rogue actors in their employ and the repercussions they face for their actions, be it financial or reputational loss.
Forbes Solicitors regularly advise a range of businesses on data protection law. We offer a range of fixed fee and retainer-based Data Protection Support services and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to mitigate any resulting risks. If you have any questions, please contact me on 01254 222451 or at firstname.lastname@example.org.