- News & Events
August 30, 2013
A story in publicservice.co.uk notes in its own genteel fashion that “the government is to consider introducing custodial sentences for people who have committed serious offences under the Data Protection Act.”
“Custodial sentences.” Since they don’t mean forcing someone to become a member of building maintenance, it is undoubtedly an incredibly civilized way of saying throw the culprit in the can.
Going from the proverbial slap on the wrist in the form of fines to jail time is the result of a series of data breaches.
One involved a woman whose husband had been jailed for sexual assault. Still he managed to access the victim’s bank account details, attempting to monitor spending and social activities. This resulted in a fine of just £100 ($155 approx) per offense.
In another incident a nurse provided patient details to her partner who worked for an accident management company. (As nearly as we can determine from this side of the pond, accident management companies jump in when there’s an auto accident and “help” with insurance claims, car rentals, etc. Probably the closest parallel in the USA would be attorneys on late-night TV running commercials aimed at accident victims. Or tow truck drivers listening to police bands to beat the competition to the scene of a wreck. Accident management companies are not necessarily held in high regard.) Despite the fact that such companies pay up to £900 ($1400) for a client’s information, a fine of only £150 ($234) per offense was imposed. So even with the fine the nurse was making a healthy profit.
One of the most egregious breaches reported by publicservice.co.uk was the case of a probation officer who received a fine after she leaked the new address of a domestic abuse victim to the alleged perpetrator of the abuse. “Victoria Idowu was fined £150 ($235) and as well as being ordered to pay a £20 ($31) victim surcharge and a £250 ($390) contribution towards costs at Camberwell Green Magistrates Court.
“Idowu, who has now had her employment terminated as a probation officer by the London Probation Trust, claimed that she provided a domestic abuse victim’s full name, new address and date of birth, along with the details of the investigating officer to the alleged perpetrator, as she believed that the individual already knew this information and she was keen to avoid a case of mistaken identity. (Huh?)
“But the distressed victim then contacted the investigating officer … confirming the alleged perpetrator now knew her new address. The victim then broke off all contact with the police and the other services involved, believing that they could no longer be trusted. The investigation against the alleged perpetrator was subsequently dropped.”
Commenting on the case, Information Commissioner Christopher Graham said, “This is not just a criminal breach of the Data Protection Act, but it also led to a police investigation of alleged domestic abuse being dropped. The government must act now to introduce tougher penalties for individuals who illegally access and disclose personal information.”
It was cases like these that have brought jail time closer to fruition for breaches of the U.K.’s Data Protection Act.
The Information Commissioner’s Office, which offers independent advice and guidance about data protection and freedom of information, expressed concern that courts only had the option of issuing a fine for those individuals who “knowingly or recklessly obtain or disclose personal data, or procure someone else to do this for them.” And the ICO said a custodial sentence would be justified in the most serious cases.
Members of Parliament on the Commons Justice Select Committee have been calling for stronger penalties. And, Sir Alan Beith, chairman of the committee has observed: “Magistrates and judges need to be able to hand out custodial sentences when serious misuses of personal information come to light. Parliament has provided that power, but ministers have not yet brought it into force – they must do so.”
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.
Posted by Dan Rampe
Tags: Account Takeover, Account Takeover Fraud, Bank Fraud, Botnets, CNP fraud, Cookieless Device Identification, Cyber attacks, Data Protection Act, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Hacking, Identity Spoofing, Identity theft, Malware, Malware Protection, Man-in-the-Browser Detection, MitB, Mobile fraud, Online Fraud, Phishing, PII, ThreatMetrix, ThreatMetrix Cybercrime Index, ThreatMetrix Global Trust Intelligence Network, TrustDefender Cybercrime Protection Platform, Web Fraud