Support 100 years of independent journalism.

  1. Politics
12 May 2011

The fine for exposing 6,000 PC users online? £1,000

“Bullying”, “aggressive” ACS:Law fined for data breach.

By Jason Stamper

Another day, another small price to pay for a serious data breach. The ACS:Law solicitor Andrew Crossley has been fined £1,000 by the Information Commissioner’s Office (ICO) after a data breach in which the personal details of 6,000 computer users who were targeted by his firm were exposed online.

The data breach happened following a denial-of-service attack by members of the hacktivist group Anonymous, who were unhappy at the tactics being used by Crossley and his law firm. ACS:Law had written letters to hundreds of people it accused of downloading content without paying for it, asking them to pay a fine of several hundred pounds.

As well as people’s names and addresses, a list of pornographic films they were accused of downloading illegally was also exposed. “The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details,” said the Information Commissioner, Christopher Graham.

Thus, the fine of just £1,000 may seem paltry. Graham said it would have been £200,000, but for the fact that Crossley is said to lack the means to pay: ACS:Law has ceased trading. A spokesperson for the ICO told the BBC that it does not have the power to audit people’s accounts but said that Crossley had provided a sworn statement on the state of his finances.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

But Deborah Price, head of legal affairs at the consumer affairs watchdog Which?, said:

ACS Law demanded around £400 from each of the people it accused of illegal file-sharing, yet for a serious breach of data protection law, it gets a paltry fine of £1,000. This is utterly inadequate – the ICO should have imposed an appropriate sanction.

The ICO said that if ACS Law was still trading it would have imposed a penalty of £200,000. This beggars belief. It sends the message that businesses that commit a data breach can expect appropriate punishment, unless they dissolve their business, in which case they’ll get off lightly.

The victims of this security breach – consumers who have had to suffer the consequences of having unfounded allegations about them published online – have been left with no redress whatsoever.

It’s not the first time the Information Commissioner’s Office has been accused of lacking teeth.

Meanwhile, Which? complained to the Solicitors Regulation Authority (SRA) over ACS:Law’s “bullying” and “aggressive” behaviour back in 2009. The SRA decided that there was a case to answer and Crossley, owner of ACS:Law, will appear before a tribunal next month.

ACS:Law’s tactics were also criticised by the House of Lords amendments committee when debating the Digital Economy Bill in January last year. Lord Lucas said:

We have to be careful about setting out to criminalise . . . a large proportion of our population, particularly when it involves putting them not in the hands of the criminal law with all the safeguards, care and rationality that involves, but in the hands of firms of solicitors who are out to make a buck from the process.

None of these people are nice to deal with. Even where the majors have been involved in prosecutions – there are not many cases of that – they are relentless. It is not at all nice to be on the receiving end of one of their prosecutions. They can take a long time, cost a great deal of money and go on, with unspecified consequences, for a period of years.

ACS Law, one of the firms involved in this, has been kind enough to write to me . . .

Jason Stamper is NS technology correspondent and editor of Computer Business Review.