A motor trade employee has received a six month prison sentence for accessing customer information and then sharing with claims management companies.
This is the first ICO prosecution which under the Computer Misuse Act 1990 which carries a potential prison sentence rather than the Data Protection Acts of 1998 and 2018.
The rogue employee accessed thousands of customer personal details using a colleague’s log-in details for the Audatex system, used to calculate the costs of vehicle repairs following an accident.
At the time the employee was working at Nationwide Accident Repair Services, but he then continued to do this after he started at a new employer who was using the same system.
Mike Shaw, Group Manager Criminal Invesitgations Team at the ICO said:
”People who think it’s worth their while to obtain and disclose personal data without permission should think again.
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.
“Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.
“Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress.
“The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”
Nationwide Accident Repairs Service had contacted the ICO when they noticed an increase in customer complaints about nuisance calls from claims management companies.
Insider threat presents a real problem for organisations and this case highlights one of the potential risks. The recent BUPA fine for £175,000 was also due to a rogue employee, but in the case of BUPA , the ICO found they had not taken appropriate measures to secure the data.