Sentencing Car Crash for Data Thief Employee

Data protection has always been a hot topic for employers and has become of even more importance, given the General Data Protection Regulation introduced this year.  However, has it ever been made clear to employees that there are serious consequences including prison sentences if found guilty of a data protection breach?  If they were not aware before this recent case they will be now!
Mustafa Kasim worked for the accident repair firm ‘Nationwide Accident Repair Service’ (NARS) for some years. In the period between 12th January to 19th October 2016 he continuously accessed customers records. These records contained personal data about: accidents customers had been in, names, phone numbers and vehicle details. He accessed thousands of customers details using fellow colleagues’ log in details without their permission, via the software system Audatex, which estimates the costs of vehicle repairs details, without their permission. He continued to access this information even when he moved companies since his new employer used the same software system.
After NARS received a worrying increase in customer complaints about nuisance calls, they contacted the Information Commissioner’s Office (ICO). The ICO went on to investigate and subsequently prosecute Mustafa under s1 of the Computer Misuse Act 1990 (rather than the Data Protection Act 1998 as the former carried a more severe sentence). Mustafa pleaded guilty to the offence of securing unauthorised access to personal data at a hearing in September of this year and was sentenced to six months in prison. This was seen as as a landmark case since it was the first time anyone has gone to prison as a result of a case the ICO prosecuted.
As well as acting as a deterrent for employees who are thinking about breaking data protection laws, this case should also serve as a warning to employers. The importance of good data protection practice in the workforce really can’t be stressed enough.
Here are some suggestions for employers:

  • Have a clear policy that requires employees not to share their log in details with anyone as this is the easiest way for employees to access private information
  • Require employees to change passwords regularly and to ensure that the criteria for passwords drive employees to use passwords that are hard to crack
  • Keep an eye out for any suspicious log in activity e.g. where an employee is regularly logging in very early in the morning or late at night
  • If you are at all concerned about employee behaviour in this area, make sure you investigate quickly to prevent any breaches getting out of hand.