As reported in a must-read analysis, the Information Commissioner’s Office has for only the second time in its history successfully prosecuted individuals under the Computer Misuse Act 1990 in order to impose harsher criminal penalties for unauthorized access to personal data (including but not limited to prison sentences and confiscation orders) than are available under the Data Protection Act 2018.

As outlined in the analysis, this case reinforces the message to businesses and organizations who are controllers of the personal data that they must prepare for and safeguard against the risks posed by rogue employees who gain unauthorized access to personal data electronically. The security risks to organizations may be exacerbated by the increased number of employees working remotely and without regular supervision (including due to the COVID-19 pandemic). Employee vetting, training, regular communications and ongoing compliance checks remain essential measures to reduce such risks.