A. N. Corporate board members fined after data leak
A mock trial was held on Thursday at the Infosecurity Europe expo in London. A fictitious company, A.N.Corporate, and members of its board of directors were charged with breach of section 450 of the Companies Act 1985.
In June 2007 the company had called in a security consultancy who reported numerous security failings, both technical and procedural. The report was stated by the consultants to have been delivered by email and in hard copy, and an acknowledgement email was said by the consultants to have been received from the CEO. It emerged during evidence that the report had effectively been shelved by the company without any remediation of the issues taking place.
A few months after the audit, the company experienced a data breach that exposed the banking credentials of customers, leading to some cases of fraud. The police were called in and the matter ultimately went before the Court. At the trial it emerged that emails critical to the matter, possibly including correspondence relating to the security audit, had been deleted by the IT Manager after proceedings had commenced, on the basis of a "new security policy" from the CIO that required purging of all emails more than three weeks old including those on backup archives.
The directors were today charged with destroying company documents in order to misrepresent the state of the company's affairs. In evidence, the CEO stated the consultants' report had been beyond his technical capacities and he passed it to the CIO. The CIO said he in turn passed it on to the CISO for the same reason. The latter had no recollection of ever receiving it, and the body of emails that might have provided evidence one way or the other was among those purged after proceedings commenced. The charge under s. 450 of the Companies Act related specifically to the deletion of company records, there being a possibility that the deletion was an attempt by the board members to disguise the security weaknesses exposed by the consultants' report. The issue was whether the defendants were personally and severally liable in addition to the company – the company's guilt was unchallenged.
After all evidence had been given by the four individual defendants – CEO, CIO, CISO and the IT manager, the charges against the latter two were dismissed on the grounds that they had no decision-making contribution to the alleged offence. However, the CEO and CIO were convicted by a large majority, and – unconventionally for a UK trial – the audience "jury" also imposed the penalty, in both cases a fine.
Despite the complexity of the issues involved, the trial, led by "Judge" Andrew Rose of Clifford Chance in red robes and full wig, proved a highly entertaining and popular event. It also made a very important legal point. Although our rather toothless Data Protection Act has been much in the news as a result of numerous high profile incidents, and the Information Commissioner has demanded extended powers and greater penalties, it remains largely unrecognised that there are already several much more effective instruments available to the Courts for dealing with such incidents. Section 450 of the Companies Act 1985 makes it an offence to destroy or falsify company records or be privy to such destruction or falsification. The penalties are up to seven years in prison and/or a fine. The critical feature of this offence is that it is "strict liability" – the normal burden of proof is reversed, the defendant having to prove that he had no intention to conceal the state of affairs of the company. This makes it an extremely strong deterrent tool against both poor management and cover-ups. However, as "defence counsel" Stewart Room of FFW stated in his post-trial review, Section 450 is hardly mentioned in textbooks on company law "because it's not sexy, being a strict liability offence".
The lesson for all of us to take away from this mock trial is that information management law is much more complex than just the "DPA", and it is incumbent on CEOs and CIOs to make themselves aware of the full gamut of their responsibilities. The lesson for legislators is that before we further complicate the issue by creating new laws and extending weak powers, we should consider making use of much stronger but less well-known legislation already on the statute books.