Who: EE
Where: UK
When: November 2014
Law stated as at: 4 December 2014
What happened:
In 2011, back when EE was Orange, Mr Devlin used his deception skills to impersonate a member of Orange’s security team when calling and emailing legitimate mobile phone distributors and in one circumstance he was successful and obtained over 1,000 customer records. Mr Devlin, a company director of three marketing and telecoms companies, then used the illegally obtained personal data to target customers who were due a mobile handset upgrade by offering his company’s services.
EE became aware of the breach and notified the Information Commissioner’s Office (“ICO”) swiftly, as is their obligation under the Privacy and Electronic Communications Regulations 2003, and the ICO identified Mr Devlin as the offender.
The Offence
It is a criminal offence to unlawfully obtain or access personal data under section 55 of the Data Protection Act 1998 (“DPA”) and when Mr Devlin appeared earlier this year in Calverdale Magistrates Court it found him guilty of the section 55 offence, fining him £500 and ordered him to pay £438.63 costs and a £50 victim surcharge.
Currently the maximum fine that could be awarded in a magistrates court for a section 55 offence is £5,000, which increases to being unlimited in the crown court. An award of £500 + costs would appear to classify Mr Devlin’s offence as not very serious and there are many doubters who don’t believe that this level of fine (along with a criminal record) is an ineffective deterrent against this kind of crime.
Why this matters:
The feeling that the sentencing powers for breaches of the DPA are not strong enough is nothing new. In the ICO’s most recent Annual Report (published in July this year) the Information Commissioner called for “People who steal others’ personal information…to face the prospect of a prison sentence” in the face of a 10% rise in complaints to over 15,000 and leading to only 12 criminal convictions.
In the case of Mr Devlin the Information Commissioner commented that “fines are no deterrent” as personal details are “worth serious money”. The Commissioner reiterated his thoughts that for serious data breaches a prison sentence should be a possibility – to ensure there is an adequate deterrent to people considering taking such action.
Much of cyber security focuses on electronic data breaches – ensuring there are appropriate technological and organisational measures taken against the possibility of network hacks or malware. Mr Devlin has highlighted that, even in our digital age, the prospect of human deceptive practices, or con-men, are still a real possibility. This, in some ways, is much more challenging to combat than electronic data breaches. This requires those people within your organisation who may be at risk of being targeted to be appropriately and efficiently trained to suspect and handle such con-men coupled with stronger penalties to deter any attempts occurring at all.
