Taken From: http://www.pritchettslaw.com/

← Back

Claims Management Company Heavily Fined for Repeated Data Breaches

Claims management companies perform a valuable role in society but are expected to maintain the highest standards of care when handling personal data. The First-tier Tribunal (FTT) made that point in confirming a substantial financial penalty imposed on a company that signally failed to match up to those standards.

iPhoneThe company, which specialised in pursuing payment protection insurance (PPI) mis-selling claims on behalf of its clients, failed to heed repeated advice and warnings in respect of its data handling procedures from the Claims Management Regulator (CMR). It had purchased personal data from websites where consumers had not given valid consent to be contacted in relation to PPI claims.

The CMR – a body which has since been abolished and whose functions have been taken over by the Financial Conduct Authority – decided that the company had displayed a pattern of misconduct in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 and imposed a £91,000 penalty.

In rejecting the company’s appeal against that decision, the FTT found that it had consistently failed to take all reasonable steps to achieve compliance with its data handling obligations. In failing to adopt robust due diligence procedures, it had, amongst other things, neglected to check the privacy policies or terms and conditions of the websites from which it acquired data.

The company conceded that a rogue employee had engaged in what it agreed was the abhorrent practice of copying clients’ signatures on other documents onto letters authorising the company to act on their behalf. It said that the employee’s conduct did not reflect the values of the company and that she had been appropriately disciplined.

The FTT, however, found that the errant employee’s conduct was a reflection of the company’s negligent failure to properly train or supervise her. The size of the penalty was justified by the gravity of the data breaches, which had the potential to affect a considerable number of consumers. The fact that no member of the public had actually complained was irrelevant.

Contact us for more information

← Back