Car dealers should remind their staff that a breach of customer data protection legislation could result in a prison term, Dragon 2000 has said.

The Information Commissioner’s Office (ICO) recent prosecution of a fast-fit service centre employee under new consumer data laws should not fool car dealers into thinking their business will be absolved of any responsibility, according to Mark Kelland, commercial manager of Dragon2000.

The Information Commissioner’s Office’s (ICO) first prosecution under the Computer Misuse Act, last month, resulted in a six month jail sentence for former Nationwide Accident Repair Services (NARS) employee Mustafa Kasim.

Kasim had accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to gain access to Audatex, a software system which estimates the cost of vehicle repairs.

But DMS provider Dragon 2000 has this week warned car retailers that business could also be hit by future civil fines if the ICO determine processes and procedures were not put in place to reduce the risk of data breaches and actions of rogue employees.

Kelland said: “It’s important to ensure that all staff and subsequent new employees are educated on the seriousness of data protection. 

“Dealers should explain their business policies and procedures, which many will have defined in complying with GDPR, which they must adhere to.

“Employment contracts should also be updated to ensure they make clear what is expected of employees regarding data protection.

“Their agreement to it will make taking action easier, should they breach the rules, and it also shows that measures have been put in place to help to prevent misuse of customer data.

“It is worth reminding employees that they can be prosecuted as an individual if they deliberately obtain personal data without permission and face fines, or even a prison term.”

Many of the changes that should protect car retailers against enforcement by the ICO should already have been put in place in time for last year’s introduction of the new GDPR data protection legislation.

But Kellend was keen to remind retailers of some basic steps that they should be taking as part of efforts to protect them, and their employees, from the risk of a data breach. He said: “Dealers can reduce the risk of data theft by making sure all employees have their own individual logins for any of systems containing personal customer data.

“Change passwords immediately if it is suspected they have been compromised and only give personalised employee login permissions for system areas and data that is required for them to perform their role.

“Staff also need to be warned not to share login credentials with their colleagues – this will avoid accountability issues and potential misuse.

“Finally, revoke system logins for ex-employees upon them leaving and do not leave them live for someone else to use.

“If dealers follow these simple procedures, they will significantly reduce the risk of data theft and avert the commercial and financial impact of a breach.”

Dragon 2000 warned that stolen customer data can lead to nuisance sales calls at one end of the scale, all the way to identity fraud and compromised bank accounts at the other.

Kasim’s earlier data breach was identified when NARS saw an increase in customer complaints about nuisance calls and contacted the ICO, before assisting them in their investigation.

The ICO usually prosecutes cases like this under the Data Protection Act 1998 or 2018 but prosecuted his case under s.1 of the Computer Misuse Act 1990 “to reflect the nature and extent of the offending and for the sentencing Court to have a wider range of penalties available”, it said.

Mike Shaw, head of criminal investigations at the ICO, said: “Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress.

“The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”