A former employee of accident repair firm Nationwide Accident Repair Services (“NARS”) has become the first individual to be prosecuted by the Information Commissioner’s Office (“ICO”) for breach of the Computer Misuse Act 1990.
The employee accessed thousands of customer records containing personal data without permission by using his colleagues’ log-in details. He continued to do so after moving to a new job at a different repair firm that used the same software system.
His wrongdoing came to light when NARS saw a rise in customer complaints about nuisance calls and assisted the ICO with their investigation.
Ordinarily the ICO will bring prosecutions in cases such as this under the Data Protection Act. However, the Data Protection Act does not include the potential penalty of imprisonment which is available under the Computer Misuse Act. Section 1 of the Computer Misuse Act provides that a person is guilty of an offence if:
- He causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
- The access he intends to secure or to enable to be secured, is unauthorised; and
- He knows at the time when he causes the computer to perform the function that that is the case.
A conviction under section 1 carries a maximum term of 2 years imprisonment.
Mike Shaw, Group Manager Criminal Investigations Team at the ICO, said:
“People who think it’s worth their while to obtain and disclose personal data without permission should think again...Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.”
Under the recent changes to data protection legislation, the ICO now has strengthened powers to impose monetary penalties. This case shows that it is also willing to prosecute beyond the data protection legislation where circumstances warrant that step. It also demonstrates the issues that can be caused for organisations by rogue employees or former employees who misuse access to personal data, where perhaps there are lax internal security controls in place or which are not policed that enable co-workers to access passwords or bypass security measures.
Not only can the ICO come knocking but there are also wider reputational and customer trust issues that can be far harder to quantify and put right.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.