Sentencing on Computer Misuse Act for Data Theft

In swift action for the Information Commissioner’s Office (ICO), two individuals found violating the Computer Misuse Act (CMA) 1990 via the theft of personal data in a bid to make nuisance calls have been successfully prosecuted.

Former RAC employee Kim Doyle was found guilty with the transfer of personal data to accident claims management firms without given permission, including road traffic accident records such as names, registration numbers and contact details.


Upon investigation by the ICO, it was revealed that Doyle had transferred data she had obtained to the Director of TMS William Shaw. The data was then used by Shaw’s company to make nuisance calls.

This act was identified as a breach of the CMA, leading to Doyle to plead guilty to conspiracy towards securing unauthorised access towards computer data as well as selling unlawfully obtained personal data. As a result of the legal action, both Doyle and Shaw were each sentenced to an eight-month prison term, suspended for two years.

The UK data regulator criminal investigations division highlighted that businesses are now putting extra resources into tracking down criminals who are compromising people’s data. Upon the handing over of the data to claims management companies, those people on the records are subjected to vast amounts of unwanted calls in a bid to turn in fraudulent personal injury claims.

Offenders now understand that tools are being utilised by businesses to protect against what is considered a data breach and that action will be taken to assure a prison sentence.

Long in Line

The CMA has issued many convictions lately in conjunction with the ICO.

June 2020 saw one businesswoman sentenced for the illegal access of a company’s servers and the deletion of files mere months following her resignation as a director within the company. Whilst only a handful of individuals have been prosecuted by the CMA, it has gone on record that over a third of IT workers have admitted to legislation violations.

In 2016 a research probe identified that around half of employees that were surveyed admitted to retaining access to network’s of their former employment, with 36% admitting to accessing of corporate systems after leaving their positions. The CMA itself is more or less deemed counterintuitive by those working in cybersecurity and IT areas.

Calls for Reform

Cybersecurity professionals have stated that the 30 years plus legislation put prevention on them being able to successfully do their job, with many worrying whether how they work could be skating across the law’s thin ice when researching vulnerabilities or investigating threats and identifying how to protect data online.

This has led to a large gathering of businesses, trade bodies, lawyers and lobby groups within cybersecurity requesting a reform on the CMA from the government.