Workplace Data Leaks – Motor Insurer Wins Six-Figure Compensation
Miscreant employees often form the first link in a chain which feeds the black market in personal data. However, as a ground-breaking High Court ruling showed, anyone who profits from the use of such illicitly leaked material risks being hit hard in the pocket.
The case concerned a motor insurance company employee who leaked the personal details of policyholders who had suffered road accidents which they asserted were not their fault. The data was provided in spreadsheet form to an intermediary, who sold it on to claims management companies. The companies used the data in order to market their services to the relevant policyholders.
The employee was paid at least £16,200 for the data she provided. This data included policyholders’ names and telephone numbers, as well as details about their accidents. This data had been given to the company in confidence. The intermediary was alleged to have made a minimum of £370,742 from selling on the data.
After the employee’s activities were investigated by a policyholder and reported to the company, both she and the intermediary were arrested. The intermediary subsequently admitted an offence under the Data Protection Act 1998 and received a fine and a confiscation order under the Proceeds of Crime Act 2002. That was, however, not the end of the matter and the company launched civil proceedings against him.
In upholding the company’s claim, the Court concluded that the intermediary knew that the employee had obtained the data from the company’s computer systems illegitimately and without authority. That knowledge put him under an obligation of confidence to the company, which he had breached. Payments he made to the employee induced her to breach her employment contract and his actions also amounted to an unlawful means conspiracy.
The company had been forced to engage in a major mitigation exercise following the discovery of the employee’s misconduct. Reassuring telephone calls had to be made to each affected policyholder and much time and effort had been expended on dealing with complaints. The Court ordered the intermediary to pay the company £108,651 in damages, that sum representing the cost of the mitigation exercise.
We can offer advice regarding data protection laws. For more information, please contact Healys LLP on 0800 2800432 or email us at email@example.com.