The ICO continues to make a name for itself as a dogged investigator of wrongdoing in the realm of personal data, particularly in the realms of corporate blogging and blue-chip hacking – their latest news release <https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/record-fines-for-company-senior-staff-and-private-investigators-involved-in-illegal-trade-in-personal-information/> is, somewhat ironically, in relation to a Kent-based firm of loss adjusters. For those of us not in the insurance business, a loss adjuster looks (either on behalf of an insurance company or on behalf of a claimant) for the root cause of a ‘loss’ to determine if the claim is covered under the insurance policy.
In this example, a relatively small private firm with 15 national offices across the UK, an estimated turnover of c.£13m, and a net worth of over £3.5m, broke the law to illegally obtain and use/share personal information for a case. They did this in collaboration with hired private investigators, to the tune of nearly £270k in fines and costs, and criminal convictions for all the key personnel involved. This included two of the company directors and the key investigators.
Interestingly this case was reported in the local press <http://www.kentonline.co.uk/malling/news/insurance-firm-in-court-over-103244/> in September 2017, where a spokesperson for the company denied all charges, highlighting their reputation as a leading UK provider of claims solutions to reinforce their integrity and confidence that they would be cleared of all charges. It is no doubt, therefore, a sobering and humbling place the business must now find themselves following the 15 guilty verdicts in October 2017, followed by sentencing this week.
Passing sentence following the guilty verdicts under the current Data Protection Act 1998, the Judge delivered an opinion that the defendants were aware that they were operating illegally <https://www.theguardian.com/technology/2018/jan/05/insurance-firm-and-two-of-its-employees-given-record-data-breach-fines> and turned a blind eye to it for commercial gain – he viewed these offences as “relatively serious” enough to pass the sentences. One can only imagine how much more serious or damaging the case could have been for all involved under the GDPR; given the view by the judge of the seriousness of the breach that company turnover figure of £13m would have meant fines up to £520k (4%).
One can only wonder if the company involved will continue to enjoy the very active support they claim to have in the industry moving forward, or if they truly have learned their lessons from this. However, this is a sobering reminder for businesses that operate with little or no care for data protection and privacy laws that the days of being able to do so undetected and unchallenged are numbered.
Assoc.CIPD & Cert.E GDPR P