Two sentenced under the Computer Misuse Act for data theft

The Information Commissioner’s Office (ICO) has led the successful prosecution of two individuals for violating the Computer Misuse Act (CMA) 1990 by stealing personal data to make nuisance calls.

Kim Doyle, a former RAC employee, was found guilty of transferring personal data to an accident claims management firm without permission, including road traffic accident data such as names, mobile phone numbers and registration numbers.

An ICO investigation found that Dyle transferred the data she had obtained to William Shaw, the director of TMS, with this data subsequently being used to make nuisance calls. This constituted a breach of the CMA, with Doyle pleading guilty to conspiracy to secure unauthorised access to computer data, and selling unlawfully obtained personal data.

Both Doyle and Shaw, as a result, have each been handed an eight-month prison sentence, suspended for two years.

“People’s data is being accessed without consent and businesses are putting resources into tracking down criminals,” said Mike Shaw, who heads up the UK data regulator’s criminal investigations team.

“Once the data is in the hands of claims management companies, people are subjected to unwanted calls which can in turn lead to fraudulent personal injury claims. Offenders must know that we will use all the tools at our disposal to protect people’s information and prevent it from being used to make nuisance calls.

“This case shows that we can, and will take action, and that could lead to a prison sentence for those responsible.”

This is only the latest in a handful of prosecutions made under the CMA, led by the ICO. In June 2020, for instance, a businesswoman was sentenced for illegally accessing a company’s servers and deleting files months after resigning as a director.

While only a few individuals are prosecuted under the CMA, historical research had found that more than a third of IT workers admitted to violating this legislation. The research from 2016 showed that roughly half of employees surveyed admitted to retaining access to their former employer’s network, while 36% admitted to accessing corporate systems after leaving their roles.

The act itself, however, is widely deemed out-of-date and counterintuitive by many working in the IT sector and in cyber security.

According to research published last year, the 30-year-old legislation is preventing cyber security professionals from doing their jobs. Many, in particular, are worried about whether may be breaking the law while researching vulnerabilities, or investigating threats. Specifically, 40% of those surveyed said the CMA has acted as a barrier to them or their colleagues and has prevented them from proactively safeguarding against breaches.

A coalition of businesses, trade bodies, lawyers and cyber security lobby groups also wrote to the prime minister, Boris Johnson, in June 2020 urging his government to reform the CMA for similar reasons. This group included techUK, F-Secure, McAfee and Trend Micro, among other organisations.

The Criminal Law Reform Now Network (CLRNN) has also reported on the shortcomings of the CMA, claiming in January last year that the legislation is putting critical UK infrastructure at risk.