Six month imprisonment in first ICO computer misuse act prosecution

Is the Information Commissioner’s Office (ICO) extending the scope and severity of its enforcement powers?

The background

After moving to another company, an ex-employee of Nationwide Accident Repair Service (NARS) continued to access personal customer data from a software system also used by his new employer.  Mr Mustafa Kasim gained access to the software system, which estimates the cost of vehicles repairs, by using his ex-colleagues’ login details without permission and then proceeded to misuse the data.  Following an increase in customer complaints about nuisance calls, NARS alerted the ICO of its suspicions that customer data was being misused and assisted the ICO with its investigation. 

The ICO’s decision to prosecute

The ICO usually prosecutes these types of cases under the Data Protection Act 1998 (DPA 1998) or Data Protection Act 2018 (DPA 2018) – however, the maximum penalty available for civil or criminal breaches under these Acts is a fine.

In this case, the ICO considered that the nature and extent of Mr Kasim’s offences warranted harsher penalties than just a fine, so the ICO took the unusual step of pursuing dual charges against Mr Kasim, under both Section 55 of DPA 1998 (DPA 2018 did not apply retrospectively to the offending period of January to October 2016) and also the Computer Misuse Act 1990 (CMA) (which allows for custodial sentences ranging up to 14 years).  In particular, the ICO prosecuted Mr Kasim under Section 1 of the CMA, which makes it an offence to cause a computer to perform a function with intent to secure access to any programme or data without permission and carries a custodial sentence of up to two years. 

Mr Kasim pleaded guilty to the offence of securing unauthorised access to personal data and was sentenced to six months’ imprisonment.  Given this guilty plea, the ICO decided not to pursue the charges under Section 55 DPA 1998 to full trial. However, there are ongoing criminal proceedings to recover the benefits of Mr Kasim’s deliberate misuse of the data. 

With regards to NARS, the ICO recognised that NARS had worked with the ICO during the investigation and put appropriate technical and organisational measures in place to ensure that such a breach did not occur again. 

Why is this important?

Although this case concerned the prosecution of an individual, this case is another warning to businesses that the ICO’s enforcement practices are increasing in scope and severity.

Despite its previous position that prosecutions under the CMA are outside its remit, it is clear that the ICO is increasingly willing to flex its regulatory muscles and use all of the tools in its arsenal to ensure that the appropriate penalties are handed out for data offences.  The head of criminal investigations at the ICO made it clear that the ICO will continue to “push the boundaries” to protect the personal data rights of individuals, even if the circumstances of the case do not fit squarely into either of the Data Protection Acts (1998 or 2018). 

Any practical tips?

If businesses wish to avoid liability and stricter penalties from the ICO for deliberate data breaches, it is essential that they remain diligent with regard to their data protection practices and continue to monitor the processing of personal data by employees and ex-employees.  Businesses should use strict password systems, keep access records and enforce strict internal sanctions for data misuse by employees.  If suspicions of data misuse are raised, businesses should inform the ICO, assist with the ICO’s investigation and immediately take steps to mitigate the breach and ensure that similar breaches do not reoccur.  It’s worth remembering the Morrisons class action case too.  The facts were not too dissimilar to this case, in which Morrisons were held to be vicariously liable for the actions of its rogue employee.  And so it’s not just the regulatory fines which come into view, but also (potentially very) expensive class actions.