The Information Commissioner’s Office (ICO) has handed out its first-ever prosecution under the Computer Misuse Act by awarding a six-month prison sentence to a motor industry employee who collected personal information of thousands of citizens without obtaining prior consent.
Earlier this year, London-based law firm Reynolds Porter Chamberlain LLP revealed that even though the UK witnessed an estimated 1.7 million cyber crimes last year, the number of cyber crime convictions were falling year after year, from 61 in 2015 to 57 in 2016 and just 48 in 2017.
The firm said that the low number of cyber crime prosecutions was a result of “police not having the resource to tackle the full extent of the problem as cybercrime has become increasingly widespread and complex”.
According to the National Crime Agency, many cyber criminals were not effectively thwarted from carrying out fresh attacks not only because a lot of cyber crimes went unreported, but also because convictions of criminals were not sufficient to deter them.
“As many convictions are under the Fraud Act rather than the CMA (Computer Misuse Act), this compounds the problem and furthers the perception of ‘cyber crime without consequence’,” it said.computer
ICO invokes Computer Misuse Act
In a first, the ICO recently issued a six-month prison sentence under the Computer Misuse Act 1990 to Mustafa Karim, an employee of accident repair firm Nationwide Accident Repair Services (NARS) who accessed “thousands of customer records containing personal data without permission”.
According to the ICO, Karim gained access to such data by using the login credentials of a colleague to access a software system known as Audatex which estimates the cost of vehicle repairs. ICO was made aware of such unauthorised access by NARS after the firm received complaints of nuisance calls from customers.
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behaviour,” said Mike Shaw, Group Manager Criminal Invesitgations Team at the ICO.
“Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights. Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress.
“The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again,” he added.