ACS Monetary Penalty Announced

May 10, 2011

monetary penalty for failing to keep sensitive personal information relating to around 6,000 people secure, the Information Commissioner’s Office (ICO) announced on 10 May.

Andrew Jonathan Crossley – as data controller of the former law firm – has been served with a monetary penalty of £1,000.

Information Commissioner, Christopher Graham, said:

‘This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details. As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.’ 

Mr Crossley of ACS Law – which has now ceased trading – specialised in pursuing alleged copyright infringement cases on behalf of copyright holders from the music, video games and adult film industries. The firm had written to thousands of individuals who were alleged to have broken copyright law. They were pursued using information obtained from individuals’ ISPs.

In September 2010, ACS Law’s web site was subjected to an online attack which caused it to crash. After the attack a file containing e-mails between ACS Law staff, and some to and from ISPs or members of the public, appeared on a web site which allowed anyone who downloaded the file access to around 6,000 people’s sensitive personal information. This included individuals’ ISP account details, their names and addresses, their IP addresses and information about the content they were alleged to have illegally copied. Some of the e-mails also included people’s credit card details, as well as references to their sex life, health and financial status.

The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition, ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.