The owner of former controversial solicitors firm ACS Law has escaped with a £1,000 fine after a data breach on its website released the names of Sky broadband customers who it claimed had illegally downloaded porn movies.
But the Information Commissioner’s Office said Andrew Jonathan Crossley – as data controller of the former law firm – would have faced a £200,000 fine if he hadn’t already ceased trading.
In September 2010, ACS Law’s website was subjected to an online attack which caused it to crash. After the attack a file containing emails between ACS Law staff, and some to and from ISPs or members of the public, appeared on a website which allowed anyone who downloaded the file access to around 6,000 people’s sensitive personal information.
This included individuals’ ISP account details, their names and addresses, their IP addresses and information about the content they were alleged to have illegally copied. Some of the emails also included people’s credit card details, as well as references to their sex life, health and financial status. At the time it was alleged that the publication of the details had been part of a deliberate name and shame campaign by ACS Law.
Information Commissioner Christopher Graham said: “This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress.
“The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.
“As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.”
Crossley specialised in pursuing alleged copyright infringement cases on behalf of copyright holders from the music, video games and adult film industries. The firm had written to thousands of individuals who were alleged to have broken copyright law. They were pursued using information obtained from individuals’ internet service providers (ISPs).
The ICO’s investigation found serious flaws in ACS Law’s IT security system. Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control.
In addition ACS Law’s web-hosting package was only intended for domestic use. Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of its obligations under the Data Protection Act, it continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.
