The 2019 Court of Appeal criminal case of R (The Pensions Regulator) v Workchain Limited (Workchain) serves as a useful reminder of the possible criminal consequences of unauthorised access to a computer system.

Facts

Under the Pensions Act 2008 employers are required to automatically enrol eligible workers into a pension scheme. The employer has to pay pension contributions and to deduct from earnings and pay into the scheme employee pension contributions. An employee, but not the employer, can opt out of the scheme. If this is done within one month of enrolment, then the employer and employee do not have to pay any pension contributions.
Workchain was a recruitment agency which employed temporary workers and provided them to clients for a fee. It used National Employment Savings Trust (NEST) as its workplace pension scheme. Workers are given a unique NEST ID so that they are able to access their data on-line and to enable them to opt out of the scheme if they wish. Employers are not given access to employee on-line data nor are they allowed to opt-out their workers. This is because employers have an incentive to opt out workers to save paying pension contributions. The NEST system was designed to ensure that an opt-out is a free choice of the employee.
However, Workchain was determined to opt out its temporary employees from the NEST scheme after their enrolment. Workchain staff made calls to NEST pretending to be temporary employees in order to obtain their NEST IDs which were later used to access the NEST on-line system and to opt them out. Workchain managed to achieve an opt-out rate of 66% compared to an average of 8%. Some of these opt-outs could be traced back to Workchain senior staff pretending to be a worker to obtain a NEST ID and others originated from a Workchain IP address indicating that they had been made by Workchain staff rather than the temporary workers. NEST became suspicious and the Pensions Regulator was alerted.

The criminal proceedings

The Pension Regulator brought charges against Workchain, its directors/shareholders and various other personnel under s1 of the Computer Misuse Act 1990 (CMA). This sets out that a person is guilty of an offence if:
(a) he causes a computer to perform any function with intent to secure access to a programme or data held in any computer, or to enable any such access to be secured;
(b) the access he intends to secure or to enable to be secured is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
The focus of this offence is the unauthorised access to computer programmes and/or data. It is committed without the need to prove dishonesty or any intent to use the data for example for further offences or any other purpose. The offence carries a maximum sentence of 2 years’ imprisonment or an unlimited fine on indictment.
In this case all eight defendants pleaded guilty. The two directors were sentenced to four months imprisonment suspended for two years, were directed to perform 200 hours community service and to pay £11,250 costs. Workchain was fined £200,000 with a costs order of £60,930 and a victim surcharge.
Workchain appealed its fine claiming that it was manifestly excessive. For the first time ever the Court of Appeal had to consider how sentences under s1 of the CMA should be determined. The Court decided that the assessment of harm and culpability are the foundation of the sentence. When assessing harm, the Court stated that this is not limited to financial harm. A crucial head of harm under s1 of the CMA is the loss of integrity of the computer system involved in the breach, which was particularly important in this case given that employers are prohibited from having access to the employee pension data. When assessing culpability the reasons for and circumstances of the unauthorised access and the degree of persistence are relevant. The fact that an employer is in a position of trust is also to be taken into account. Previous convictions, particularly of a like sort, are an aggregating factor as may be poor regulatory compliance by the employer. Finally, the sentence imposed should be proportionate which means that the financial circumstances of the offender can affect the fine.
In this case, the financial loss to the employees and the savings for Workchain were small because of the temporary nature of the workforce. However, importantly in addition to the direct financial harm, Workchain’s “manipulation of the on-line system inevitably damaged or risked damaging trust in these systems, and consequently the scheme introduced by the Pensions Act as a whole. It inevitably risked undermining public confidence in the security of personal data in this context and generally, including confidence in the security of the pension funds involved”.
The Court considered Workchain’s culpability to be high. “Its senior employees unlawfully attempted to persuade its workers to opt out and, having failed to do so, pretended to be those workers in order to access unauthorised data for the purposes of defeating the automatic enrolment provisions”. The Court considered Workchain’s offending to be serious and to warrant a substantial sentence.
However, when considering the proportionality of the sentence the Court took into account that the company’s directors/shareholders had been convicted of the same offence and that a fine would in practice fall upon those same individuals as shareholders, the company’s otherwise unblemished record and its general regulatory compliance. With a discount for a guilty plea the Court of Appeal halved the fine imposed from £200,000 to £100,000.

Conclusion

This case demonstrates the wide application of the CMA and the potential criminal liability under it. It requires only for data to be accessed without authority and for it to be known at the time that access is unauthorised. Importantly, there is no need to prove dishonesty or any intent to use the data. Many cases of unauthorised access are for financial gain, but as this case shows even if the sums involved are insignificant the Court can impose significant sentences upon a company, its directors and employees where the offence risks undermining public trust in the security of the data. Companies and their employees should be mindful of this case and ensure, particularly during this time of remote working, that they respect data security controls and limitations on access.
For further information please contact our specialist data protection and regulatory team:

Amy Chandler, Partner, Amy.Chandler@pannonecorporate.com
Patricia Jones, Consultant, patricia.jones@pannonecorporate.com
Rhian Greaves, Associate Partner Rhian.Greaves@pannonecorporate.com
Danielle Amor, Senior solicitor, Danielle.Amor@pannonecorporate.com

The post Criminal sanctions: what happens when you don’t respect data security appeared first on Pannone Corporate.