recent work

Law Firm faces fine of £500,000 after alleged breach of Data Protection Act

A law firm that focuses its efforts on researching and fining individuals thought to illegally share files online has today been warned it could face fines of up to £500,000.00 for allegedly breaching the Data Protection Act. Privacy expert Simon Davis called it “one of the worst breaches” of the Data Protection Act (DPA) he had ever seen.

ACS:Law has made a successful business out of its anti-piracy efforts, asking individuals to pay £500 per infringement or face court action. ACS:Law obtains IP (internet protocol) addresses by using ‘third-party firms to scour the net looking for possible infringements of music and film copyright’. Court orders are then applied for in order to obtain the physical addresses that the IP address originates from.

The alleged breach occurred following an attack on ACS: Law’s website; supposedly done in retaliation of its work. In getting the website back online, the personal information of approximately 14,000 individuals was released into the public domain, and uploaded to file sharing websites including The Pirate Bay, where it is being shared by hundreds of users. Credit card details, email addresses and physical addresses are said to have been leaked.

As a result, the UK’s Information Commissioner (ICO) has told the BBC that ACS:Law could face a fine of half a million pounds.
“The question we will be asking is how secure was this information and how it was so easily accessed from outside,” said Christopher Graham.
“We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing”.

In response, Andrew Crossley, who runs ACS:Law spoke out:
“We were the subject of a criminal attack to our systems. The business has and remains intact and is continuing to trade,” he added.

To see the article in full, go to http://www.bbc.co.uk/news/technology-11418970 now.

Comment
Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals.  An interesting point to note on this story is the direct quote from the ICO’s office relating to data processes.  The reference to the adequacy of things like staff training is a procedural point and not at all technology related.  The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now on info@absolute-data.co.uk.