Following the Information Commissioner’s Office (ICO) declaration that tougher sentences are needed to deter data thieves, Esther George, who is Director of Cyber Crime and Prevention at 8MAN, and formerly a senior policy advisor for the Crown Prosecution Service and author of the Council of Europe Electronic Evidence Guide, as well Phillip Manning, Non-Executive Director at 8MAN have the following comments on it.
Esther George, Director of Cyber Crime and Prevention at 8MAN:
“The comments from Information Commissioner Christopher Graham on the need for greater sentencing powers reveals the continued disconnect between the actions of cyber thieves and the punishment that they receive. There needs to be a move to ensure that the penalties given take into account the gravity of the situation.
At present, most cases if handed to the police and Crown Prosecution Service (CPS), can be dealt with under Section One of the Computer Misuse Act 1990, which deals with unauthorised access to a computer and can result in a fine and imprisonment of up to six months. The ICO prosecutes under the Data Protection Act so they are limited to fines alone.
However, we should be looking to prosecute offenders under Section 55 of the Data Protection Act. Currently this means that only fines can be imposed but the Secretary of State has the power to alter the penalty for an offence of unlawful obtaining data which will give judges greater sentencing powers, including longer imprisonment. This hasn’t happened yet and therefore lighter penalties are given. It is no surprise that cyber crime continues to rise with low fines acting as the only deterrent.
More importantly though is the need for much greater education within organisations as to how to handle these incidents, who they inform and what they should do to prevent them in the first place. For many organisations they presume that if data is lost that they should go to the ICO, who then run their own investigation and prosecute. This means that the police and CPS aren’t even aware or are able to impose tougher sanctions. Education must take place into what policies and procedures are needed to prevent these incidents, when they should go to the police versus the ICO and what information needs to be provided to build a solid case for prosecution under the Data Protection Act. Only with tougher penalties will we deter cyber criminals.”
Philip Manning, Non-Executive Director at 8MAN:
“Cyber protection is about much more than just implementing a solution. Organisations need to be in the mindset of prevention is better than being reactive and that is a much bigger issue and challenge than should be sitting in the Risk or IT teams of a business. The fine of £1,000 for stealing 28,000 pieces of sensitive data, as referenced by Christopher Graham, is minimal compared to the greater damaging effect it could have on a company in terms of financial harm on share prices or loss of reputation. The responsibility for addressing how a company can prevent and deal with breaches needs to lie with the CEO. All too often companies focus all its attention on the external threats when the reality is that internal threats actually pose the biggest risk to a business, and can be the easiest one to address. By preparing and, crucially, enforcing policies and procedures that clearly outline the boundaries to which employees can access data and the resultant actions should they breach this trust, it ensures that the importance of data protection is upheld throughout the organisation.”