The Information Commissioner's Office (ICO) issued its fifth monetary penalty yesterday to the former data controller of ACS:Law.
In the incident last September, ACS:Law was hit by distributed denial-of-service (DDoS) attack that took its website down but left files exposed that were eventually distributed over the internet. One file contained around 1,000 confidential emails, while an unencrypted document listed the personal details of more than 5,300 BSkyB Broadband subscribers, alongside a list of adult videos they may have downloaded and shared online.
This naturally led to huge distress and caused Privacy International to take a considered interest in the case. It was suspected that the DDoS attack was launched due to ACS:Law's pursuit of file sharers. The firm ceased pursuing file sharers in January 2011 and ceased trading on 3rd February 2011.
The ICO served data controller Andrew Jonathan Crossley with a fine of £1,000 for failing to keep sensitive personal information relating to around 6,000 people secure. The ICO admitted that the fine could have been £200,000 if the firm was still trading.
In its investigation, the ICO said that it found serious flaws in ACS:Law's IT security system. It accused Crossley of not seeking professional advice when setting up and developing the IT system, which did not include basic elements such as a firewall and access control.
In addition, ACS:Law's web-hosting package was said to only be intended for domestic use and the ICO said that Crossley had received no assurances from the web host that information would be kept secure.
The ICO said that while the firm should have been aware of its obligations under the Data Protection Act, it continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.
Information commissioner Christopher Graham said: “This case proves that a company's failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress.
“The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details. As Crossley was a sole trader it falls on the individual to pay the fine. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people's circumstances and their ability to pay into account.”
Stewart Room, partner at FFW, previously told SC Magazine that most people cannot prove financial damage but they can prove distress and still have a right of access to the legal system.
Speaking on yesterday's ruling, Room said: “The £1,000 fine that the Information Commissioner has levied on the solicitor responsible for the ACS:Law data security breach is bound to disappoint many people, albeit the commissioner is correct to say that he must take account of a person's ability to pay.
“If ACS:Law were still trading, the ICO would have fined £200,000, which gives us a useful barometer for assessing likely fines in the future. However, I fear that people will soon forget that the fine might have been £200,000 and we will be left with the hardly troubling message that serious data failure in the private sector can be met with a token gesture.”