Consequences of Cyber Crime: Sanctions under the Data Protection Act

12 Sep 2016

Cyber Crime is reported to have cost British business more than £1billion in the year to March 2016 ( In addition to losses attributed to theft, fraud, lost sales and loss of reputation, targets of cyber crime may also face financial and other sanctions where sensitive personal data is exposed.

There is a near constant stream of news, reporting data breaches. Our recent article on avoiding theft of IP and confidential information ( referred to the recent data breach at French defence contractor DCNS (where over 20,000 pages of documents detailing the combat capabilities of submarines was exposed). More recently 800,000 members of a web forum where users share sexually explicit web conversations have had their account details published by hackers, allowing forum users to be identified and those individuals’ intimate conversations to be accessed too ( ).  

The Data Protection Act 1998 (“DPA”)  provides a wide range of regulatory, criminal and civil law sanctions, ranging from minor to extremely serious, which may be imposed on businesses which have suffered data breaches. These sanctions will be imposed where the data protection principles have not been upheld. Most importantly, these principles require those controlling personal data to keep only as much data as they need, not keep it for longer than necessary and ensure it is protected from wrongful disclosure.

The Information Commissioner’s Office (“ICO”) has powers to:

  1. Issue an Information Notice against that business, requiring it to provide information about its data processing operations.
  2. Issue an Enforcement Notice, requiring it to comply with the Data Protection Principles; and 
  3. For serious contraventions, impose fines up to a maximum of £500,000.

Where the ICO imposes a fine, it must be satisfied that the breach of the DPA was serious and was of a kind likely to cause substantial damage or substantial distress, and that the data controller either:

  • Deliberately contravened the DPA 1998.
  • Knew or ought to have known that there was a risk the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening.

By way of example, a nursing home  in Northern Ireland was fined £15,000 for not looking after sensitive personal information held in its records.  Hampshire County Council was fined £100,000 by the ICO after failing to look after documents containing personal details of over 100 people. 

In addition to these widely used powers, the ICO also has power to bring criminal prosecutions where there has been a failure to comply with information and enforcement notices or if one of the criminal offences created by the DPA has been committed. These offences are, however, more geared towards deliberate breaches of the DPA. It should be noted that Directors and other officers of companies which have committed offences under the DPA may also be liable to prosecution.

Lastly, individuals who have had their personal data disclosed, such as the forum users mentioned above, have the right to bring a claim for compensation under the DPA. A recent development in the law means claimants do not need to have suffered financial loss in order to successfully claim compensation.  However these awards for compensation tend to be relatively low, when compared to the fines the ICO typically imposes. 

In addition to the immediate and direct consequences of cyber crime, which are in themselves extremely damaging to business,  where a business has been found to have not complied with the data protection principles, they may face the further hardship of sanctions under the DPA.  The best way to avoid these is to follow our guidance on avoiding theft of IP and confidential information (all of which applies to personal data too) and to keep internal data protection polices and practices under close scrutiny.

We are able to advise and assist you in reducing the risks of cyber crime and DPA sanctions. Where a data breach is suffered, early advice should be sought in order to minimise the damage caused to your business and to any individuals whose personal data has been exposed.


DMH Stallard have a dedicated team of Cyber Crime specialists who can advise on this and other related matters. For more information contact:

Further reading

CMA fines pharmaceutical company more than £100m

Drug pricing policies under scrutiny as CMA comes down hard on inflated prices and supernormal profits
Read more Read

5 data protection changes to be aware of

Commercial law specialist Liz Gillingham provides a summary of recent developments in data protection law
Read more Read

Destination: office?

Blog, News & PR
Emily Wood considers the results of our recent survey and the implications for the future of the post-pandemic workplace
Read more Read

Commercial lease renewals and pandemic clauses

Will commercial reality trump the law when leases are up for renewal? Property expert James Picknell takes a look
Read more Read
  • Brighton Office

    1 Jubilee Street


    East Sussex

    BN1 1GE

  • Gatwick Office

    Griffin House

    135 High Street


    West Sussex

    RH10 1DQ

  • Guildford Office

    Wonersh House

    The Guildway

    Old Portsmouth Road



    GU3 1LR

  • Horsham Office

    Ridgeland House

    15 Carfax


    West Sussex

    RH12 1DY

  • London Office

    6 New Street Square

    New Fetter Lane


    EC4A 3BF

  • Get in touch