Cyber Crime is reported to have cost British business more than £1billion in the year to March 2016 (https://www.getsafeonline.org/news/over-1bn-lost-by-businesses-to-online-crime-in-a-year/). In addition to losses attributed to theft, fraud, lost sales and loss of reputation, targets of cyber crime may also face financial and other sanctions where sensitive personal data is exposed.
There is a near constant stream of news, reporting data breaches. Our recent article on avoiding theft of IP and confidential information (https://www.dmhstallard.com/news/blog/top-10-tips-for-protecting-ip-and-confidential-inf) referred to the recent data breach at French defence contractor DCNS (where over 20,000 pages of documents detailing the combat capabilities of submarines was exposed). More recently 800,000 members of a web forum where users share sexually explicit web conversations have had their account details published by hackers, allowing forum users to be identified and those individuals’ intimate conversations to be accessed too (http://www.bbc.co.uk/news/technology-37285715 ).
The Data Protection Act 1998 (“DPA”) provides a wide range of regulatory, criminal and civil law sanctions, ranging from minor to extremely serious, which may be imposed on businesses which have suffered data breaches. These sanctions will be imposed where the data protection principles have not been upheld. Most importantly, these principles require those controlling personal data to keep only as much data as they need, not keep it for longer than necessary and ensure it is protected from wrongful disclosure.
The Information Commissioner’s Office (“ICO”) has powers to:
- Issue an Information Notice against that business, requiring it to provide information about its data processing operations.
- Issue an Enforcement Notice, requiring it to comply with the Data Protection Principles; and
- For serious contraventions, impose fines up to a maximum of £500,000.
Where the ICO imposes a fine, it must be satisfied that the breach of the DPA was serious and was of a kind likely to cause substantial damage or substantial distress, and that the data controller either:
- Deliberately contravened the DPA 1998.
- Knew or ought to have known that there was a risk the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening.
By way of example, a nursing home in Northern Ireland was fined £15,000 for not looking after sensitive personal information held in its records. Hampshire County Council was fined £100,000 by the ICO after failing to look after documents containing personal details of over 100 people.
In addition to these widely used powers, the ICO also has power to bring criminal prosecutions where there has been a failure to comply with information and enforcement notices or if one of the criminal offences created by the DPA has been committed. These offences are, however, more geared towards deliberate breaches of the DPA. It should be noted that Directors and other officers of companies which have committed offences under the DPA may also be liable to prosecution.
Lastly, individuals who have had their personal data disclosed, such as the forum users mentioned above, have the right to bring a claim for compensation under the DPA. A recent development in the law means claimants do not need to have suffered financial loss in order to successfully claim compensation. However these awards for compensation tend to be relatively low, when compared to the fines the ICO typically imposes.
In addition to the immediate and direct consequences of cyber crime, which are in themselves extremely damaging to business, where a business has been found to have not complied with the data protection principles, they may face the further hardship of sanctions under the DPA. The best way to avoid these is to follow our guidance on avoiding theft of IP and confidential information (all of which applies to personal data too) and to keep internal data protection polices and practices under close scrutiny.
We are able to advise and assist you in reducing the risks of cyber crime and DPA sanctions. Where a data breach is suffered, early advice should be sought in order to minimise the damage caused to your business and to any individuals whose personal data has been exposed.
DMH Stallard have a dedicated team of Cyber Crime specialists who can advise on this and other related matters. For more information contact: