Procurement · 13 January 2016

ICO: Cyber criminals should receive stronger sentencing

ICO: UK courts should be given greater powers to deliver stronger sentences to cyber criminals

The Information Commissioner’s Office (ICO) – the government body responsible for the enforcement of the Data Protection Act – has issued a statement calling for more serious punishments for cyber criminals.

In response to a perceived disconnect between the actions of cyber thieves and the punishments they receive, the ICO said that UK courts should be given greater powers to deliver stronger sentences to people who steal and share the personal details of others online.

The information commissioner Christopher Graham said that the fines being given to cyber criminals currently did not go far enough and were not enough of a deterrent.

“The fines that courts are issuing at the moment just don’t do enough to discourage would-be data thieves.

“We’d like to see the courts given more options: suspended sentences, community service, and even prison in the most serious cases,” he said.

Prosecuting under the Data Protection Act, the ICO is limited to issuing fines for cyber crime. The secretary of state’s office has the power to to alter the penalty for an offence of unlawful obtaining data under the act, which could give judges greater sentencing powers, including prison terms.

Director of cyber crime and prevention at online data protection firm 8MAN, Esther George, said that because these actions have not yet been taken, it is no surprise that cyber crime continues to rise. “Only with tougher penalties will we deter cyber criminals,” he said.

For George, greater education within firms is necessary for understanding how best to handle cyber crime, as companies wrongly presume that all cases of data theft should be reported to the ICO. The Crown Prosecution Service (CPS) is, in some instances, better able to investigate and issue more appropriate sentencing.

“Many organisations presume that if data is lost that the ICO should be informed, which then runs its own investigation and prosecute. This means that the police and CPS aren’t even aware or are able to impose tougher sanctions.

“Education must take place into what policies and procedures are needed to prevent these incidents, when firms should go to the police versus the ICO and what information needs to be provided to build a solid case for prosecution under the Data Protection Act.”

At present, most cases of cyber crime handed to the police and CPS get dealt with under Section One of the Computer Misuse Act 1990, which deals with unauthorised computer access, and can lead to fines and imprisonment of up to six months.

Recent figures released by the Office for National Statistics (ONS) revealed the extent of cyber crime in the UK. Between May and August 2015, over 2.5m cases of cyber crime and data breaches were experienced by British businesses.

A report published by Norton’s Cybersecurity Insights in November demonstrated the economic impact of UK cyber crime. With one in five consumers having experienced cyber crime in the last year, the report found that £1.6bn was lost from the UK economy.

Sign up to our newsletter to get the latest from Business Advice.



Fred Heritage was previously deputy editor at Business Advice. He has a BA in politics and international relations from the University of Kent and an MA in international conflict from Kings College London.