recent work

ACS:Law fined £1000 by the ICO – is it enough?

On 1st February this year, we reported on how the ICO had gone under attack for failing to fine BT for a data breach involving law firm ACS:Law, following a cyber attack on the law firm . BT had emailed the confidential information of over 500 of its customers to the firm, who were using the data to fine people for illegal online file sharing. The confidential information included credit card data, and references to sexual life and health. Some of the details included particularly sensitive stuff, such as whether an individual was accused of sharing pornography. 

Many people were up in arms over this, because it highlighted the ability for organisations to claim to have a data protection policy, but failing to adequately enforce it.

However – yesterday it was reported on ZDNet UK that a UK privacy authority has fined the solicitor behind ACS:Law £1,000 for failing to keep the personal data of at least 6,000 people secure.

One of ACS:Law’s solicitors sent hundreds of letters ‘that accused people of unlawful file-sharing [but] had lax IT security which contributed to the loss of people’s personal details’, the Information Commissioner’s Office (ICO) said in a statement Tuesday.

“The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details,” said information commissioner, Christopher Graham in a statement.

The web-hosting package that ASC:Law used for its operation was ‘only intended for home use, and cost £5.99 per month. Crossley had received no assurances from the web-host that information would be kept secure’. The solicitor’s firm should have been aware of Data Protection Act obligations, the ICO added.

The ICO would have fined ACS Law £200,000 had the company still been trading. Crossley, who at one point owned a Bentley, told ICO he did not now have the means to pay a higher fine.

“The £1,000 reflects his financial condition. He did drive a Bentley at one point, but he doesn’t now.”

Many people will be angered by this seemingly low fine. One such person is Alex Hanff, Privacy Campaigner, who told ZDNet UK:

“To issue a £1,000 fine is laughable,” said Hanff. “The ICO should have ruled on the seriousness of the breach — you couldn’t get much more sensitive information than [alleged] sexual orientation and preferences.”