Another day, another small price to pay for a serious data breach. The ACS:Law solicitor Andrew Crossley has been fined £1,000 by the Information Commissioner’s Office (ICO) after a data breach in which the personal details of 6,000 computer users who were targeted by his firm were exposed online.
The data breach happened following a denial-of-service attack by members of the hacktivist group Anonymous, who were unhappy at the tactics being used by Crossley and his law firm. ACS:Law had written letters to hundreds of people it accused of downloading content without paying for it, asking them to pay a fine of several hundred pounds.
As well as people’s names and addresses, a list of pornographic films they were accused of downloading illegally was also exposed. “The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details,” said the Information Commissioner, Christopher Graham.
Thus, the fine of just £1,000 may seem paltry. Graham said it would have been £200,000, but for the fact that Crossley is said to lack the means to pay: ACS:Law has ceased trading. A spokesperson for the ICO told the BBC that it does not have the power to audit people’s accounts but said that Crossley had provided a sworn statement on the state of his finances.
But Deborah Price, head of legal affairs at the consumer affairs watchdog Which?, said:
ACS Law demanded around £400 from each of the people it accused of illegal file-sharing, yet for a serious breach of data protection law, it gets a paltry fine of £1,000. This is utterly inadequate – the ICO should have imposed an appropriate sanction.
The ICO said that if ACS Law was still trading it would have imposed a penalty of £200,000. This beggars belief. It sends the message that businesses that commit a data breach can expect appropriate punishment, unless they dissolve their business, in which case they’ll get off lightly.
The victims of this security breach – consumers who have had to suffer the consequences of having unfounded allegations about them published online – have been left with no redress whatsoever.
It’s not the first time the Information Commissioner’s Office has been accused of lacking teeth.
Meanwhile, Which? complained to the Solicitors Regulation Authority (SRA) over ACS:Law’s “bullying” and “aggressive” behaviour back in 2009. The SRA decided that there was a case to answer and Crossley, owner of ACS:Law, will appear before a tribunal next month.
ACS:Law’s tactics were also criticised by the House of Lords amendments committee when debating the Digital Economy Bill in January last year. Lord Lucas said:
We have to be careful about setting out to criminalise . . . a large proportion of our population, particularly when it involves putting them not in the hands of the criminal law with all the safeguards, care and rationality that involves, but in the hands of firms of solicitors who are out to make a buck from the process.
None of these people are nice to deal with. Even where the majors have been involved in prosecutions – there are not many cases of that – they are relentless. It is not at all nice to be on the receiving end of one of their prosecutions. They can take a long time, cost a great deal of money and go on, with unspecified consequences, for a period of years.
ACS Law, one of the firms involved in this, has been kind enough to write to me . . .
Jason Stamper is NS technology correspondent and editor of Computer Business Review.