If you thought breaching confidential information would earn you a slap on the wrist and nothing more, you thought wrong.
Recently, two people from a claims management company and an insurance company were jailed for 12 months following a serious data breach. Data is a sensitive and valuable commodity, and the punishments for failing to protect information should be strict.
Nature of the data breach
Aisha Elliot, an employee of a claims management company, bribed Stephen Karl Oates, a former employee of LV=, for the confidential details of motor accident victims. Both employees received 12 months in prison for offering the bribe and receiving the bribe of £17,000 accordingly.
Oates worked in the insurer’s third party team as a consultant. A full review of the third party team was done and it was then discovered that Oates had been selling their customers’ confidential information to make personal gains. Each time he sold data to Ms Elliot leading to a successful claim, he would earn £150.
Mr Oates spilled all the details to the IFED, saying that he would write personal information on pieces of paper and pass on the data to Ms Elliot. The agreement came to a peak where Mr Oates supplied Ms Elliot with at least seven customers’ private information. During this time he received more than £1,000.
Not only did both individuals commit a bribery offence, they also breached data protection rules. Mr Oates unlawfully processed data by accepting the bribe from Ms Elliot. This infringes provisions in the Data Protection Act (DPA).
Investigation
The investigation into the bribe took place in 2015 when LV= suspected that one of its computer systems had been accessed with information sold by an LV= employee. The City of London Police’s Insurance Fraud Enforcement Department (IFED) was contacted to investigate Ms Elliot and Mr Oates.
This was the first time that the IFED charged individuals for offences under the Bribery Act. The IFED’s Detective Chief Inspector, Oliver Little, said:
“…fraud within the insurance industry is taken extremely seriously – whether it’s members of the public looking to submit false claims for a profit, or indeed members of staff that think it is acceptable to sell on customer data.”
Ammunition for future cases
This case has given ammunition for the IFED, in cooperation with insurers, to investigate and target employees who do this. This can also help to ensure that customers’ confidential information is secured and processed in accordance with the DPA.
Severe consequences?
Martin Milliner, LV= Claims Director, reiterated the severity of penalties, saying:
“…this reinforces the message that bribery and fraud are serious crimes which perpetrators can expect to be punished for, whether they receive a criminal record or worse, a stint in prison.”
The current punishment for selling personal and/or confidential information is arguably quite trivial, with a slap on the wrist and a fine from the Information Commissioner’s Office (ICO, data privacy watchdog) if they’re prosecuted under the DPA. What makes this case unique is the fact that both individuals were guilty of bribery offences, and this is what earned them prison sentences.
Are more stringent penalties needed?
There is growing support for tougher penalties by the ICO, which include the possibility of a custodial sentence for those who infringe on data protection laws. As the City of London Police Detective Constable, Kate Sibley, quite rightly puts it:
“…illegitimately selling or buying an insurer’s confidential customer information is a criminal offence!”
In agreement with Detective Constable Sibley’s line of thought, a breach of information privacy should hold the same punishment as white-collar crime punishments.