The first prosecution to be brought by the Information Commissioner’s Office (ICO) under the Computer Misuse Act 1990 has resulted in an employee receiving a six-month prison sentence for accessing customers’ personal data without authorisation.

The individual in question worked for an accident repair firm, where he used his colleagues’ log-in details to access a software system. Information obtained in this way included customers’ names, phone numbers, vehicle and accident information. He continued to carry out this illegal practice after he had commenced employment at a second firm that used the same computer system. In all, his wrongdoing continued for a period of nine months, from January 2016 to October 2016.

The issue came to light when his first employer saw an increase in customer complaints about nuisance calls and decided to contact the ICO.

The individual pleaded guilty when he appeared at Wood Green Crown Court and was duly sentenced to a six-month term of imprisonment. Proceedings are also under way to attempt to confiscate any benefits he received from his offending, as dictated by the Proceeds of Crime Act.

The ICO has previously initiated other prosecutions for similar offences under the Data Protection Act 1998 or 2018. The case illustrates how important it is for firms to ensure that all employees at all levels understand data protection law and what they can and cannot do in their role.

Mike Shaw, Group Manager – Criminal Invesitgations Team at the ICO, said:

”People who think it’s worth their while to obtain and disclose personal data without permission should think again.

“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.

“Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.

“Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress”.

“The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both [names of firms he worked for] have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article