Insurer compensated over 'breach of confidence' data theft

Out-Law News | 19 Nov 2019 | 5:01 pm | 2 min. read

The High Court has awarded compensation to an insurer in its case against an individual who sold on road traffic accident data he illicitly obtained from an employee of the business.

The insurer, Aviva, successfully argued breach of confidence on the grounds that David Oliver had received the data in circumstances giving rise to an obligation of confidence and that he made profits by selling it to others. The judge also ruled that Oliver had induced Aviva's employee, Kirstie Carruthers, to breach her contractual obligations to her employer; and that the pair had formed an 'unlawful means conspiracy' by acting together to harm Aviva.

The judge awarded the insurer over £108,000 in damages, which was the cost of an internal programme set up to deal with the consequences of Carruthers' misuse of policyholder data.

Andrew Barns-Graham

Associate

In some cases, the only recourse for a victim is to seek compensation, as Aviva did in this case. In the right circumstances, though, injunctive relief represents an effective means of preserving confidentiality.

The court heard how Carruthers accessed Aviva's systems to obtain the personal details of policyholders who had reported accidents in which they had not been at fault. She provided these details to Oliver in return for payment, and Oliver then sold the details on to claims management companies. The data theft was uncovered by a policyholder, and both Carruthers and Oliver have been prosecuted for offences under the 1988 Data Protection Act.

Aviva then sought damages against Oliver in the civil courts. In response, Oliver claimed that he had not been aware that Carruthers had obtained the data wrongfully, which would mean he had not breached Aviva's confidence. He claimed that he had asked her about the source of her information, and was assured by her that the information had been legitimately obtained from a credit hire company.

Judge Eyre QC conceded that Aviva was unlikely to be able to establish liability if Oliver genuinely believed that the information was coming to him legitimately. However, he ruled that it was more likely on the balance of probabilities that Oliver did not genuinely believe this to be the case. He found that Oliver was marketing the information to his own clients as "24hr data" which could only have been obtained from an insurance company, and also referred to a series of text and Whatsapp messages exchanged between Oliver and Carruthers that used insurer-specific terminology. The data also included insurance policy numbers that could only have come from a single insurer.

"In the light of that material I find that [Oliver] knew that Miss Carruthers worked for an insurance company and in fact knew that she worked for [Aviva]," the judge said. "He knew that the information being provided to him had been obtained by Miss Carruthers accessing [Aviva's] systems while she was at work and doing so illegitimately and without authority."

"[Oliver's] assertion that he was ignorant of these matters simply cannot stand when the evidence is seen as a whole and assessed in the light of common sense and inherent likelihood. The conclusion that [Oliver] knew about these matters is, in my judgement, not just the most likely explanation of the evidence but is the only realistic explanation," he said.

Civil litigation and asset recovery expert Andrew Barns-Graham of Pinsent Masons, the law firm behind Out-Law, said: "Confidentiality is extremely fragile - once there has been a leak, it can be very difficult, or sometimes impossible, to contain".

"In some cases, the only recourse for a victim is to seek compensation, as Aviva did in this case. In the right circumstances, though, injunctive relief represents an effective means of preserving confidentiality. In such cases, it is imperative to act quickly by instructing lawyers specialising in injunctive relief at the earliest possible opportunity," he said.