In a move which demonstrates that it has real teeth as a criminal prosecutor, the Information Commissioners’ Office has secured its first prosecution under the Computer Misuse Act 1990.
The case, reported on 12 November 2018, concerned a former employee of a motor accident repair firm who, at his new firm, accessed without authority thousands of customer records, containing personal data, using the log-in details of his former colleagues. He pleaded guilty and was sentenced to six months’ imprisonment.
Until now, the ICO has investigated and prosecuted such criminal data breaches under the Data Protection Acts. However, the maximum penalty which may be imposed for such breaches is a fine. While fines may be considerable, monetary penalties arguably lack the deterrent effect which is attached to a real risk of imprisonment.
And this is where section 1 of the Computer Misuse Act 1990 comes in. Hacking – essentially, unauthorised access to computer material – carries a maximum sentence of two years’ imprisonment.
The fact is that there is a significant overlap between the unlawful use of personal data and criminal computer misuse. It is well established that the offence of hacking is not limited to the archetypical black hat hacker maliciously targeting third parties’ computer system: it extends equally to what might be considered relatively benign activity such as employees accessing parts of their employers’ systems beyond those they have been authorised to access, or for purposes other than those for which authorisation had been granted. Much of this type of conduct could, therefore, be prosecuted under either Act.
The ICO as a statutory body is empowered to bring prosecutions for any offence, unless there is a specific provision precluding it from doing so. The fact that it could have prosecuted the same facts under the Data Protection Act does not prevent it bringing a prosecution under the Computer Misuse Act if it is satisfied that it is appropriate to do so. Quite apart from the more robust sentencing options, the unauthorised access offence within the Computer Misuse Act may more closely reflect the wrongdoing being prosecuted, providing the ICO with a useful alternative to the very specific offence of “obtaining data without consent” under s170 DPA.
Quite apart from the more robust sentencing options, the unauthorised access offence within the Computer Misuse Act may more closely reflect the wrongdoing being prosecuted, providing the ICO with a useful alternative to the very specific offence of “obtaining data without consent” under s170 DPA.”
Individuals receiving an unwelcome letter from the ICO will therefore no longer be able to draw solace from the fact that the worst case scenario is a fine. It has sent a clear message that it can and will bring cases where jail time is a real possibility. With this case under its belt, the likelihood is that it won’t be long before it is baring its teeth again.