Another day, another small price to pay for a serious data breach. ACS:Law solicitor Andrew Crossley has been fined £1,000 by the Information Commissioners’ Office after a data breach that saw the personal details of 6,000 computer users, targeted by his firm, exposed online.
The data breach happened following a denial-of-service attack by members of the hacktivist group Anonymous, who were unhappy at the tactics being used by Crossley and his law firm. ACS:Law wrote letters to hundreds of people it accused of downloading content without paying for it, asking them to pay a fine of several hundred pounds.
As well as people’s names and addresses, a list of pornographic films they were accused of downloading illegally was also exposed. "The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details," Information Commissioner Christopher Graham said.
The fine then of just £1,000 may seem paltry, but Graham said that it would have been £200,000 but for the fact that Crossley is said not to have the means to pay: ACS:Law has ceased trading. A spokesperson for the ICO told the BBC that it does not have the power to audit people’s accounts but said that Crossley had provided a sworn statement on the state of his finances.
But Deborah Price, head of legal affairs at consumer watchdog Which?, said:
"ACS Law demanded around £400 from each of the people it accused of illegal file sharing, yet for a serious breach of data protection law, it gets a paltry fine of £1,000. This is utterly inadequate – the ICO should have imposed an appropriate sanction.
The ICO said that if ACS Law was still trading it would have imposed a penalty of £200,000. This beggars belief. It sends the message that businesses that commit a data breach can expect appropriate punishment, unless they dissolve their business, in which case they’ll get off lightly.
The victims of this security breach – consumers who have had to suffer the consequences of having unfounded allegations about them published online – have been left with no redress whatsoever."
It’s not the first time the Information Commissioners Office has been accused of lacking teeth.
Which?, meanwhile, complained to the Solicitors Regulatory Authority (SRA) over ACS:Law’s "bullying" and "aggressive" behaviour back in 2009. The SRA decided that there was a case to answer and ACS:Law owner Crossley will appear before a tribunal next month.
ACS:Law’s tactics were also criticised by the House of Lords Amendments Committee debating the Digital Economy Bill in January last year. Lord Lucas said:
"We have to be careful about setting out to criminalise… a large proportion of our population, particularly when it involves putting them not in the hands of the criminal law with all the safeguards, care and rationality that involves, but in the hands of firms of solicitors who are out to make a buck from the process.
None of these people are nice to deal with. Even where the majors have been involved in prosecutions – there are not many cases of that – they are relentless. It is not at all nice to be on the receiving end of one of their prosecutions. They can take a long time, cost a great deal of money and go on, with unspecified consequences, for a period of years.
ACS Law, one of the firms involved in this, has been kind enough to write to me…"
Please follow Jason Stamper on twitter: www.twitter.com/jasonstamper