An employee at a vehicle accident repair centre who stole the data of customers and passed it to a company that made nuisance phone calls has been jailed for 6 months following an investigation by the Information Commissioner’s Office (ICO).
Used Former Co-Worker’s Login To Company Computer
The employee of Nationwide Accident Repair Services, Mustafa Kasim, used a former co-workers’ login details to access software on the company computer system (Audatex) that was used to estimate repair costs. The software also stored the personal data (names and phone numbers) of the owners of the vehicles, and it was the personal data of thousands of customers that Mr Kasim took without the company’s permission, and then passed on to a claims management company that made unsolicited phone calls to those people.
Mr Kasim was unmasked as the data thief after the Accident Repair Company noticed that several clients had made complaints that they were being targeted by nuisance calls, and this led to the decision to get the ICO involved.
During the investigation, it was discovered that Mr Kasim continued to take and pass on customer data even after he started a new job at a different car repair organisation which used the same Audatex software system.
First With A Prison Sentence
What makes this case so unusual is that it is the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.
Computer Misuse Act
Even though the ICO would normally prosecute in this kind of case under the Data Protection Act 1998 or 2018 with penalties of fines rather than prison sentences, in the case of Mr Kasim it was judged that the nature and extent of the criminal behaviour required making a wider range of penalties available to the court. It was decided, therefore, that s.1 of the Computer Misuse Act 1990 would be used in the prosecution, and it was the offences under this that resulted in the 6-month prison sentence that Mr Kasim received.
What Does This Mean For Your Business?
Since preparing for GDPR, many companies have become much more conscious about the value of personal data, the importance of protecting customer data, and the possible penalties and consequences of failing to do so. In this case, the ICO acknowledged that reputational damage to affected companies whose data is stolen in this way can be immeasurable e.g. Nationwide Accident Repair Services and Audatex. The ICO also noted the anxiety and distress caused the accident repair company’s customers who received nuisance calls.
This case was also a way for the ICO to send a powerful message that obtaining and disclosing personal data without permission is something that will be taken very seriously, and that the ICO will push boundaries and be seen to use any tool at its disposal to protect the data protection rights of individuals. The case also serves as a reminder to businesses that looking at ways to provide the maximum protection of customer data and plug any loopholes is a worthwhile ongoing process, and that threats can come from within as well as from cyber criminals on the outside.