Despite there being 654 prosecutions over six years for obtaining or disclosing data, there were only three prosecutions for serious offences.
According to a Freedom of Information Act (FOIA) request by Cordery, the Crown Prosecution Service confirmed that they had prosecuted for three data protection offences: obtaining or disclosing personal data or the information contained in personal data; procuring the disclosure to another person of the information contained in personal data; and selling personal data.
However obtaining/disclosing data was by far the most enforced offence with a total of 654 prosecutions over six years, yet selling data has only been prosecuted twice over six years with 2010-2011 a peak year with a total of 200 prosecutions for obtaining/disclosing data and procuring the disclosure of data.
TK Keanini, CTO of Lancope, said he believed that the low number is representative of the maturity level of the legal process when it comes to information technology. “These are cases where not only are they visible enough to be caught but also enough of a case to reach prosecution,” he said.
Asked why he felt that there were only two prosecutions over six years, he said that while the internet is global, people who violate these laws don’t need to be operating in countries which have these laws nor would they want to. “Prosecution is has a national scope to a global problem of information on the internet,” he said.
The FOIA found that since 2010, there has been a marked drop in prosecutions (obtaining/disclosing data, and, procuring disclosure of data) to the lowest total figure of these years in 2013 of 96 prosecutions.
Keanini said: “When you look at how much private data is for sale on the black/dark markets, criminal activity is clearly on the rise yet prosecutions are not, and this is a bad sign for the good guy and an equally a good sign for the bad guys. Cyber crime is on the rise, yet there are fewer violators paying fines or going to jail and that is never a good sign for the community.
“We cannot look at the prosecution counts in isolation to understand what is taking place. These metrics need more context to other information technology trends and at a national level, put in context to other national trends as the internet makes the data problems everyone’s problem.”
Commenting, Jonathan Armstrong, partner at Cordery, said that 654 prosecutions over the last six years was many more than people would think. “I think most people think only the ICO do anything with data, but the figures suggest the police and CPS are pretty active too – even in a quiet year like last year, it is still around two prosecutions a week,” he said.
“I think most people would be surprised how much activity there is and they’d also be surprised how severe the consequences can be as our example shows. Of course we don’t know what a ‘typical’ offence or ‘typical’ sentence are but it reinforces the message that information security is to be taken seriously.”