Ian Birdsey of Pinsent Masons, the law firm behind Out-Law, was commenting after the UK's Information Commissioner's Office (ICO) announced that it had won a court order compelling a man previously convicted of securing unauthorised access to personal data to return money he earned from the activity.
Mustafa Kasim was successfully prosecuted by the ICO under the Computer Misuse Act in November last year. The case was the first time an individual had been imprisoned following an ICO prosecution.
An ICO investigation found former Nationwide Accident Repair Services (NARS) employee Kasim had used colleagues' log-in details to access software containing "thousands of customer records", which featured their names, phone numbers, vehicle and accident information. The ICO said it investigated after NARS reported seeing an increase in customer complaints about nuisance calls. Kasim was sentenced to serve six months in jail.
Now the ICO has said that is has successfully pursued a case against Kasim under the Proceeds of Crime Act which means Kasim will have to pay a £25,500 confiscation order within three months. It said Kasim also faces a further £8,000 bill for costs.
Mike Shaw, group manager for enforcement at the ICO, said: "Our investigations found that Mr Kasim had benefitted financially from his illegal activity. As a result of his activities, people whose data had been stolen received cold calls and his former employer faced huge remedial costs. Personal data obtained in this way can be a valuable commodity and selling it may seem like an easy way to make money but the penalties can be severe. The outcome of this case should serve as a deterrent to others."
Birdsey said that the case serves as further proof that personal data is a valuable commodity to malicious third parties, following other recent developments in relation to the hacking of data held by British Airways and Marriott among others.
"The ICO is charged with protecting personal data and, where there is an offence, including here under the Computer Misuse Act, the regulator will not hesitate to investigate and bring cases which may lead to a criminal prosecution," Birdsey said. "Unfortunately, the theft of confidential data from corporate databases, such as commercially sensitive customer lists or supplier contracts, by employees is common. This is often perpetuated by individuals who hold a grievance against their employer, or those who are leaving the organisation for a rival, or others merely ignorant of their legal and contractual obligations, all of whom may be motivated in some way by potential financial or personal gain."
"Further prosecutions like the ICO's in this case are to be expected. The Computer Misuse Act is a relatively low profile piece of criminal statute but its wide-ranging provisions and broad scope and reach make it an attractive tool for the ICO and other authorities to rely on for bringing prosecutions for data-related crimes," he said.