While data protection issues have focussed in on GDPR, it is worthwhile highlighting that the Information Commissioner’s Office (ICO) has, for the first time, prosecuted an individual under the Computer Misuse Act 1990.
Let us start by saying that this was not committed in the financial services sector. However, there are valuable lessons that can be learned by insurance brokers, so it is worth considering.
The case concerns an individual who, at the time, was employed by an accident repair firm. This individual used a colleague’s computer log-in details to access thousands of customer records – which included personal data – without permission. GDPR alarm bells ringing?
The individual then started a new job with a different business which used the same software system and continued to access the records.
The offence was discovered when the former employer contacted the ICO due to an increase in the volume of customer complaints received regarding nuisance calls.
The individual was prosecuted under The Computer Misuse Act 1990, on the grounds that it is a criminal offence to misuse a computer to gain unauthorised access to any data held on that computer.
The ICO has typically prosecuted cases under data protection law, but, in this instance, opted to use the Computer Misuse Act 1990 as it better reflected the nature of the offence. The result was a six-month prison sentence.
This case shows the tough stance the ICO is adopting. While this sort of issue is unlikely to occur, thanks to the back-office systems used by general insurance brokers, there are some things to consider:
- When an employee leaves, are their log-in rights and access immediately disabled?
- Do you restrict access to relevant parts of a system to prevent unauthorised access?
- Can staff only have access to those areas that they need to perform their role?
- Do you undertake reviews of audit trails to ensure only appropriate use of data?
- Would you be able to detect a breach if one occurred?
Given the rise in incidents and the growing sophistication of cybercrime, many firms are focused on security and the misuse of data. Too often perhaps that focus is on external threats, such as hacking. This case shows that threats can be internal as well as external and firms need to re-evaluate their internal security measures accordingly.
Remember, cybersecurity is a key issue for the FCA and they will expect you have carried out the necessary work to keep your customers' data secure.
Your IT professional advisers will be able to help, but please speak to your RWA Business Manager if required.