It’s unusual to see a complaint that was raised over 6 years ago to be now making headline news in the Times. So what’s all the fuss about? Well, it’s been labelled as being the biggest incident of alleged misbehaviour by one top-flight club to another in the Premier League’s history. The complaint came from Manchester City alleging that their scouting system ‘Scout7’ had been hacked into on hundreds of occasions over an 8 months period by three former City scouts who had moved to Liverpool. Scout7 is effectively The recruitment platform for football clubs with its ability to offer online database of player information (from age, club history, position to statistics) and share data and video content around the world at their fingertips saving time and money. It’s reported that Liverpool paid £1m settlement monies to City to draw a line underneath the dispute. Had they not you’d expect City’s legal team raising various arguments including (1) Liverpool’s unlawful use of City’s confidential information (Scout7) in its rival club and being liable for an account of profits made from their misuse or alternatively damages (2) infringement of Copyright and Rights in Databases Regulations 1997 (3) breach of post-restrictive covenants against the three former City scouts (4) delivery up of all documents and other records containing confidential information belonging to City. These underlying principles were examined in detail by HHJ Davies in the case of Keystone Healthcare Ltd & Anr v Parr & Others  EWHC 1509 (Ch)
Whilst on the face of it £1m seems a lot of money for Liverpool to part with however one can imagine if the accounts and balances were tallied up, City’s losses could well have exceeded that. In the era of GDPR, had this incident happened now and not 6 years earlier, the Information Commissioner’s Office would be all over the ‘personal data breaches’ which would also open up potential claims from the individual players concerned.
When asked, Gary Hibberd, a Cybersecurity and Data Protection professional, at Cyberfort Group stated that that there are a number of issues at play here. “It’s interesting that the focus is on Liverpool and Manchester City, but it would be interesting to know what controls Scout7 had in place to protect this data. If they had been hacked ‘hundreds of occasions’, when did they become aware of this? What have they done to prevent this happening again? If the truth of the matter is that ex-employees used login credentials to access the data, then why weren’t these removed when they left? These are standard practices we all should apply. This happened long before GDPR came into force, but had it occurred today It would be interesting to know how the ICO feels about the actions taken at the time, as the use of Data without clear consent is now a very serious breach of the GDPR. ”
Gary went on to explain that Data is an incredibly important asset and organisations need to think seriously about how they use Data and how they protect it. It doesn’t need to be complex but they should be taking appropriate steps to protect that Data.
Front Row Legal are a boutique law firm that specialises in Sport, Media and Business Law in England and Wales. They have specialist knowledge in these areas of law, which means they can help where many law firms won’t have the experience. They are based in Leeds with a national client base. frontrowlegal.com