Two sentenced under the Computer Misuse Act for data theft
The individuals were accused of siphoning away personal data from RAC to an accident claims management firm
Kim Doyle, a former RAC employee, was found guilty of transferring personal data to an accident claims management firm without permission, including road traffic accident data such as names, mobile phone numbers and registration numbers.
An ICO investigation found that Dyle transferred the data she had obtained to William Shaw, the director of TMS, with this data subsequently being used to make nuisance calls. This constituted a breach of the CMA, with Doyle pleading guilty to conspiracy to secure unauthorised access to computer data, and selling unlawfully obtained personal data.
Both Doyle and Shaw, as a result, have each been handed an eight-month prison sentence, suspended for two years.
“People’s data is being accessed without consent and businesses are putting resources into tracking down criminals,” said Mike Shaw, who heads up the UK data regulator’s criminal investigations team.
“Once the data is in the hands of claims management companies, people are subjected to unwanted calls which can in turn lead to fraudulent personal injury claims. Offenders must know that we will use all the tools at our disposal to protect people’s information and prevent it from being used to make nuisance calls.
“This case shows that we can, and will take action, and that could lead to a prison sentence for those responsible.”
This is only the latest in a handful of prosecutions made under the CMA, led by the ICO. In June 2020, for instance, a businesswoman was sentenced for illegally accessing a company’s servers and deleting files months after resigning as a director.
While only a few individuals are prosecuted under the CMA, historical research had found that more than a third of IT workers admitted to violating this legislation. The research from 2016 showed that roughly half of employees surveyed admitted to retaining access to their former employer’s network, while 36% admitted to accessing corporate systems after leaving their roles.
The act itself, however, is widely deemed out-of-date and counterintuitive by many working in the IT sector and in cyber security.
According to research published last year, the 30-year-old legislation is preventing cyber security professionals from doing their jobs. Many, in particular, are worried about whether may be breaking the law while researching vulnerabilities, or investigating threats. Specifically, 40% of those surveyed said the CMA has acted as a barrier to them or their colleagues and has prevented them from proactively safeguarding against breaches.
A coalition of businesses, trade bodies, lawyers and cyber security lobby groups also wrote to the prime minister, Boris Johnson, in June 2020 urging his government to reform the CMA for similar reasons. This group included techUK, F-Secure, McAfee and Trend Micro, among other organisations.
The Criminal Law Reform Now Network (CLRNN) has also reported on the shortcomings of the CMA, claiming in January last year that the legislation is putting critical UK infrastructure at risk.
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download