A client recently received an email from a dealer with whom he had done a lot of business over the years. The email had attached an invoice for a work that he purchased last year.
The client was confused as to why they had sent this now, as payment had been made in 2017.
This was not, however, the troubling aspect of the email. On closer inspection, a stranger had been copied into the email by the dealer.
It transpired that the dealer had been duped into releasing the client’s entire purchase history by a persuasive individual posing as my client, who claimed that his accountant needed this information urgently in order to file his accounts.
Not surprisingly, my client was alarmed by what clearly had amounted to identity fraud. So, we set about trying to uncover the impersonator’s identity.
The dealer co-operated with the client’s IT department and they located the fraudster’s IP address, but the telecoms provider refused to disclose the identity of the person behind it.
“It transpired that the dealer had been duped into releasing the client’s entire purchase history
Readers of ATG will be aware of the recent GDPR requirements which came into force in the EU on May 25 (as the Data Protection Act 2018 in the UK) and of the right to have the privacy of one’s personal data protected (see ATG's guide).
There are general rights, ultimately in the court’s hands, for an aggrieved claimant to seek disclosure of documents against the opposition, relevant to the issues in the claim, where one takes court action.
Here we could certainly take proceedings against the fraudster, but only if we could find him or her – a classic catch-22 situation.
I suggested that if we were to take action against the dealer who wrongly disclosed the information, then, on the back of that, my client would at least have rights of disclosure in principle in the claim made.
However, the client explained that he still does business with the dealer and has sympathy with the fact the dealer was an innocent third party.
So, what to do? Riding to the rescue came sections of the Data Protection Act 2018.
Though data privacy is at its core, there are, however, complex provisions allowing for release of data in many circumstances. We went for the most straightforward available: under a general ‘public interest’ exception we chose two subsections to justify release.
The first enabled disclosure of data “if the processing is necessary… for the administration of justice”, and the second enabled disclosure if it is “necessary for the purposes of the prevention or detection of an unlawful act”, which “must be carried out without the consent of the data subject, so as not to prejudice those purposes”.
We wrote seeking disclosure from the telecoms provider under these provisions, but I warned the client that the provider was bound to put up the barricades against us.
Unexpectedly, the provider was forthcoming, on the back of a letter threatening application to court. It went on to explain that the IP address concerned could have been used by as many as 4500 people on the particular day, so the fraudster sending the emails could not be identified.
However, the client’s IT support engineers are making good progress in narrowing the field, on the information received, and we are closing in. Lassoing the impersonator would of course be a great relief to the client, who was keen to let others in the trade know what can happen.
Milton Silverman is senior commercial dispute resolution partner at Streathers Solicitors LLP, London.