A motor industry employee has been given a six-month prison sentence for accessing customer records without permission in a landmark prosecution led by the Information Commissioner's Office (ICO).
Mustafa Kasim pleaded guilty on one charge of securing unauthorised access to personal data between January and October 2016, and was sentenced to six months under the Computer Misuse Act (CMA) 1990.
Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), accessed the personal data of thousands of customers on the Audatex IT platform using his colleagues' login details.
This is the first time the ICO has led a prosecution charge in 28 years since the Act came into force, and was motivated by a desire to inflict a tougher punishment on Mustafa Kasim than is conventionally handed for data misuse.
"People who think it's worth their while to obtain and disclose personal data without permission should think again," said the ICO's group manager of the criminal investigations team Mike Shaw.
"Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour.
"Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights."
Kasim continued to access customers' personal data when he left NARS and started a new job at a different car repair organisation which used the same software. These details included customers' names, phone numbers, as well as vehicle and accident information.
NARS approached the ICO upon receiving increased complaints from customers about receiving nuisance calls.
"Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress," Shaw continued.
"The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again."
Cases such as this, concerning data abuse, are normally prosecuted under Data Protection Act (DPA) 1998, or the EU's General Data Protection Regulation (GDPR) which came into force earlier this year.
However, with the timing of the case rendering GDPR inapplicable, and punishment under the DPA 1998 not deemed severe enough, the ICO opted to prosecute Kasim under different legislation.
In this case, the ICO chose section one of the CMA 1990, which prohibits the use of a computer to intentionally gain access to programmes or data held. This offence carries a maximum prison sentence of two years.
The data regulator said "in appropriate cases" it had the remit to prosecute cases via alternative legislation "to reflect the nature and extent" of offences, and so that the court has "a wider range of penalties available".
"This was an appropriate case to pursue under CMA 1990 because the seriousness of this particular offence, which had a number of aggravating factors, meant that a sentence limited to a fine under the DPA would not have reflected the culpability of the offender," an ICO spokesperson told IT Pro.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
