Employee ordered to pay £25,500 fine following data theft offences

Employee ordered to pay £25,500 fine following data theft offences

Background

Mr Mustafa Kasim worked for the accident repair firm Nationwide Accident Repair Services (NARS). Without permission, Mr Kasim used the log in details of a colleague to access a software system that estimates the cost of vehicle repairs. Using this system, he manged to access thousands of NARS customer records containing personal data, including names, phone numbers and vehicle and accident information. He then sold on that data to claims management companies.

When Mr Kasim moved to a different accident repair company that used the same software system, he continued to use his ex-colleagues’ details to login and steal personal data.  NARS became suspicious following an increase in customer complaints advising of nuisance phone calls and reported the matter to the Information Commissioners Office (ICO). The ICO is the UK’s independent regulator for data protection and information rights.

Investigation by the ICO

Following an investigation by the ICO, the ICO unusually decided to prosecute under section 1 of the Computer Misuse Act 1990 (usually used to prosecute hackers) rather than under the Data Protection Act 1998 (owing to when the offences occurred), as The Data Protection Act 1998 could not have led to a prison sentence, only an unlimited fine. The ICO indicated at the time that they decided to do this to reflect the nature and extent of the offending and for the sentencing Court to have a wider range of penalties available, including imprisonment.

Mr Kasim pleaded guilty to the charge of securing unauthorised access to personal data between 13 January 2016 and 19 October 2016. In November 2018, Mr Kasim was sentenced to six months in prison. This case made headlines at the time as Mr Kasim was the first person to be imprisoned following a prosecution by the ICO under the Computer Misuse Act.

Financial Penalty

Following this, what is known as ‘Confiscation proceedings’ under the Proceeds of Crime Act was commenced to recover any benefit obtained as a result of the offences by Mr Kasim.

On 15 July 2019 a hearing took place at Wood Green Crown Court.  The Judge determined that Mr Kasim benefitted from thousands of pounds as a result of his offences and ordered Mr Kasim to pay £25,500 plus £8,000 costs. Mr Kasim has three months to pay the confiscation order or could face a 12 months’ prison sentence.

Mike Shaw, Group Manager Enforcement at the ICO said:

“Our investigations found that Mr Kasim had benefitted financially from his illegal activity. As a result of his activities, people whose data had been stolen received cold calls and his former employer faced huge remedial costs.

Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe. The outcome of this case should serve as a deterrent to others.”

Summary

It will be interesting to see whether the ICO decides to follow with more prosecutions of this type rather than under the Data Protection Act where, even under the new 2018 Act, although unlimited fines can be levied, there is still not the possibility of imprisonment for this type of offence.

One would hope that seeing the outcome of these cases will deter people from stealing personal information. However, if you are concerned and need to report a matter to the ICO they can be contacted on their helpline on 0202 123 1113 or website ico.org.uk/concerns.

Brachers is available to help businesses with advice and assistance to change behaviours around the collection, use and keeping personal information to ensure compliance with data protection laws and minimise the risk of criminal prosecutions. For further information please contact Louise Brenlund on 01622 776405.