Following an inquiry by the Information Commissioner's Office (ICO), insurance firm Woodgate & Clark Ltd has been given a record fine for breaching the UK's Data Protection Act. The firm itself was fined £50,000 while a former director and senior employee were fined £75,000 and £30,000 respectively for their involvement.
The firm had hired two private detectives to illegally obtain the banking information of an insurance claimant whose nightclub had burned down, in order to determine if the claimant could afford to pursue a legal challenge against them. The private detectives used a 'blagging' technique to obtain the information which involved contacting the insurance claimant's bank and pretending they worked in a different department of the bank in order to trick employees of the bank into divulging personal information of the insurance claimant. The private detectives were able to obtain information in relation to the claimant's private personal accounts, loans and mortgages and this information was then passed on to the insurance company, who were aware it had been obtained illegally.
Commenting on the case Elizabeth Denham, the UK Information Commissioner, noted "the illegal trade in personal information is not only a criminal offence but a serious erosion of the privacy rights of UK citizens. As well as these record fines, the organisations and individuals involved also face serious reputational damage as a result of being prosecuted by the ICO." Additionally the judge, Charles Macdonald QC said that the offences involved were "relatively serious" and the motivations were plainly commercial.
This is the first prosecution of a company for 'blue chip hacking' by the ICO, but it is unlikely to be the last. The case follows on from an inquiry the ICO initiated in 2013 after 125 victims complained that the police failed to properly investigate their claims that they were subject to illegal data gathering tactics by 98 legal, insurance and financial companies throughout the UK. Accordingly the ICO has announced that in 2018 it will be focused on bringing claims against ten of such firms accused of similar 'blue chip hacking' tactics.
After the General Data Protection Regulation comes into effect on 25 May 2018 it is expected that higher fines for illegal data processing will increase considerably, as regulators such as the Irish Office of the Data Protection Commissioner and the ICO will be empowered to issue fines of up to €20 million or 4% of a company's annual global turnover. This means that companies need to be fully aware of their obligations under data protection law and ensure that all data processing activities are being conducted in line with their responsibilities and obligations under data protection law.