MPs call for data thieves to be sent to prison for up to two years

Give the ICO more power, says CMS Committee

Criminals who obtain and sell personal data illegally should be sent to prison for up to two years, according to a new report by the Culture, Media and Sport Committee.

The report into data protection by the committee was triggered by the disastrous data breach at TalkTalk.

The ICO has been calling for the government to take a tougher stance on data thieves for years - back in 2011, then Information Commissioner Christopher Graham said that power should be given to magistrates to jail those found guilty of breaching section 55 of the Data Protection Act (DPA) after an employee of Barclays Bank, Sarah Langridge, used her position to look up the bank details of a woman accusing her husband of a sex attack.

Now, MPs on the CMS Committee have acknowledged that such a move would encourage best practice when it comes to data protection.

"We concur with the ICO, that whilst the implementation of the EU GDPR will help focus attention data protection, it would be useful to have a full range of sanctions, including custodial sentences.

"We therefore support the ICO's call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data," the report stated.

The cross-party committee's inquiry into cyber-security also called for the ICO to be given greater powers to encourage organisations to report a data breach as soon as possible. At present the ICO can only issue a fixed fine of £1,000 for failure to report a data breach.

"There should also be scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications," the report stated.

The MPs recommend that organisations holding large amounts of personal data should report annually to the ICO on staff cyber-awareness training, security auditing details, incident management plans, and the number of attacks they were aware of, and the proportion of those that were successful.

Interested in security? Come along to Computing's Enterprise Risk & Security Summit 2016 on 24 November in London. It's free to attend for end users. For more details click here.