Out-Law / Your Daily Need-To-Know

Finance company identifies 294 recipients of non-payment legal threat

Out-Law News | 18 Aug 2009 | 4:49 pm | 1 min. read

A finance company has disclosed the email addresses of 294 customers that it says are behind in their repayments to the firm. The company emailed the customers but did not hide the addresses of everyone it contacted.

The email makes it clear that the 294 customers are being contacted because they are behind in their repayments. Some of the affected customers have expressed fears that this opens them up to contact from companies which target people in financial difficulty.

Clode Retail Finance is described on its website as "the largest provider of interest-free finance for fashion purchases and dental treatment in the UK today." It wrote to 294 customers on Monday to tell them that they were behind in payments and that legal action was pending.

"Your account is more than 30 days in arrears, and it is our intention to take further action against you in respect of the aforementioned account," said the email. "To avoid this we need your response by close of business Friday, 28th August 2009."

Clode chief executive Nick Davies told OUT-LAW.COM that the revealing of the addresses was a mistake.

"The breach of our standard procedures occurred as a result of human error on our part," he said in an emailed statement. "All customers affected by this issue were contacted earlier today to highlight the problem and an apology was issued."

The email contains the words "this message contains confidential information and is intended only for…" followed by all 294 addresses. It reveals to each recipient that the others are in Clode's records as being behind in repayments.

Technology lawyer Struan Robertson of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the individuals whose details were exposed would only be able to claim damages from the company if they could show direct financial loss as a result of it.

OUT-LAW.COM understands that at least one of the customers involved intends to report the breach to privacy regulator the Information Commissioner's Office (ICO), which oversees the Data Protection Act.

That Act governs what companies can do with any information that qualifies as 'personal data'. It says that organisations must take "appropriate technical and organisational measures" to ensure that data is properly treated.

Davies said that the company had already made changes to the way it operates.

"The issue arose as a result of human error and we have already taken steps to ensure that this cannot be repeated in future by changing various internal processes," he said. "In the case of any complaints to the Information Commissioner we will explain this further and address directly any specific issues raised."