In The News

Prison sentence issued after data breach in automotive sector

Article Date: 22 January 2019

A former motor industry employee has been sentenced to six months in prison for unlawfully accessing personal data. Mustafa Kasim, who worked for accident repair firm Nationwide Accident Repair Services (NARS), used the Audatex system to access thousands of customer records containing personal data without permission. Using a colleagues’ log-in details he gained access to customers’ names, phone numbers, vehicle, accident information and estimated the cost of vehicle repairs. He continued to do this after he started a new job at a different car repair organisation which used the same software system. Various comments have been released from a number of sources covering everything from the length of the sentence passed to the range of different elements of legislation involved. All worthwhile discussion points however, from a neutral view, some of the most surprising outcomes of this incident have not been addressed

  • Why were neither NARS nor Mr Kasim’s last employer enforced against?
  • Why didn’t the ICO rely upon the Data Protection Act 2018?
  • Where does this leave Retailers?

Well, our GDPR team have been analysing the findings and have supplied the following commentary:

Duncan Bembridge – ASE Head of GDPR
“One of the most surprising features of this incident is that,  after assessing the impact, nature and outcome of the incident, the ICO decided that the DPA 2018 was not the most appropriate or effective way of prosecuting given the nature and extent of the offending. What does this tell us?” We wouldn’t suggest this decision undermines or relates to a lack of confidence in the potential enforcement abilities the ICO have under GDPR. If anything, I would suggest it reinforces their commitment to protect businesses and individuals where personal data is unlawfully accessed and/or used, demonstrating that they will pursue the most vigorous penalties possible. This new, flexible approach shown by the ICO indicates a real step change on their part and suggests a more creative and robust enforcement body. This should give both the public and businesses confidence that the ICO will punish those who abuse customer’s personal data.”  

Kevin Symm – ASE Data Protection & Compliance Officer
“The key question for Retailers as we perceive it is - how do we ensure none of our staff, if they move on, damage us in a similar way? Well, one point to make clear is that the ICO decided that only Mr Kasim’s actions warranted enforcement. Neither his current or former employer were considered liable for prosecution. However, what maysurprise some is that this is the second, very similar breach the NARS have suffered. On the other case, after ICO investigation, the employee pleaded guilty to unlawfully accessing customer data and was issued with a fine. When compared with Mr Kasim’s custodial sentence the difference is profound. Why is this? Well, we can obviously speculate on a number of issues, but you cannot ignore the recent headlines around GDPR and its enforcement in the UK. Some have perceived the recent £500,000 fine issued to Facebook as trivial. With this in mind I don’t believe it is that much of a leap to suggest the ICO have implemented a precedent whereby they can rely upon the Computer Misuse Act 1990 again in some high-profile, high-impact instances. From a retailer’s perspective, obviously, no one wants their GDPR compliance efforts to be prompted by ICO intervention after an incident or breach. So, how can Retailers progress their compliance efforts without taking much needed effort and resources away from their front-line activities?” Well, at ASE we feel we understand the demands and challenges for Retailers today and, with this in mind we have developed a bespoke, automotive specific GDPR health-check service designed to provide you with the assurances you need in terms of your current position on compliance, what is and isn’t working and, most importantly, what can you do to ensure you get compliant as quickly and easily as possible. This decision on the ICO’s part to favour the Computer Misuse Act 1990 instead of its more routine sections of enforcement legislation, could be perceived as a real change of attitude and approach. Whenever enforcement is carried out by the ICO our GDPR team analyse the facts, to establish if the case has links to the auto motive sector and what, if any, lessons can be learned;

Duncan Bembridge – ASE Head of GDPR
“In this instance there is a clear link to our sector. If you think about the Kasim case and use, there are many examples in the dealership with similar circumstances tothe data held on Audatex the link is obvious. Mr Kasim left NARS for a new role at a different organisation. However, it is portrayed, Mr Kasim used the customer data provided to his old employer whilst in his new role. The learning for retailers here is that no matter how long what data employees have access to, it belongs to the business, not the individual. Exit interviews should be structured to include reference to the personal data employees have accrued during their employment and written confirmation provided, that they have not taken any of it with them into their new role.” ASE GDPR Health-check service is designed to quickly identify gaps in compliance, within even the most well-prepared retailer. We have templates and draft documents which can be quickly and easily amended into a retailers pre-existing format to ensure any issues or vulnerabilities our team identify are quickly addressed and action taken to eliminate exposure.

Kevin Symm – ASE Data Protection & Compliance Officer
“One could easily perceive this change of approach by the ICO as the beginnings of a more robust and aggressive enforcer. Criticism has been levelled at the ICO regarding the level of fines issued to, amongst others, Facebook. However, their hands were tied to a certain degree as the enforceable actions all took place pre-GDPR implementation. However, Mr Kasim’s enforceable actions were conducted between 13 January 2016 and 19 October 2016 so, one could ask, why Facebook weren’t prosecuted under similarly robust enforcement. Well, the ICO know the full details of the case better than anyone else and I would be confident that they have enforced under the correct legislation. However, you cannot fail to see the clear change in their approach and, in our opinion, this could represent the first indication from the ICO that individuals who clearly, knowingly and maliciously misuse, unlawfully process or unlawfully obtain personal data will be prosecuted by the ICO in as aggressive and robust a manner as the legislation allows.”