ACS:Law fined over data breach
- 11 May 2011
- From the section Technology
Andrew Crossley, the controversial solicitor who made money by accusing computer users of illegal file sharing, has been fined £1,000.
The penalty has been imposed for a data breach which saw the personal details of 6,000 computer users, targeted by his firm, exposed online.
Information Commissioner Christopher Graham said that the severity of the breach warranted a heavier fine.
But he added that Mr Crossley was not in a position to pay.
"Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach."
A spokeswoman for the ICO told the BBC that it did not have the power to audit people's accounts but said that Andrew Crossley had provided a sworn statement on the state of his finances.
The security breach occurred following a denial-of-service attack by members of the hacktivist group Anonymous, who were unhappy at the tactics being used by Mr Crossley and his law firm.
"Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress," said Mr Graham.
As well as exposed peoples' names and addresses, a list of pornographic films they were accused of illegally downloading was also made available.
"The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details," Mr Graham said.
ACS:Law was conducting a widespread speculative invoicing campaign, which saw Mr Crossley send letters to thousands of people accusing them of downloading content without paying for it and asking them to pay a fine of around £500 per infringement.
The scheme came unstuck when a handful of the cases went to court and the judge ruled that the Mr Crossley had mishandled them and abused the court system.
He faces a disciplinary hearing at the Solicitors Regulation Authority next month.
The data breach was one of the most high profile and worst seen in the UK to date.
The relatively small fine imposed on Mr Crossley will anger opponents who argue that the ICO lacks any real teeth when it comes to data breaches.
It was recently criticised for not being tougher on Google after the firm accidentally collected personal information from millions of unsecured wi-fi connections when it collected pictures for its StreetView service.
The ICO has called for greater powers to investigate data breaches and to probe deeper into peoples' finances.
"We would welcome the power to refer cases like this to the court who can order people to be questioned about their financial affairs with appropriate sanctions if they do not cooperate," an ICO spokeswoman told the BBC.
But critics think more is needed.
"This fine is shockingly low. Many people have been aggrieved and wrongly accused. They are entitled to some form of compensation," he added.
Consumer watchdog Which? was among the first to expose that people had been wrongly accused. It described the fine as "paltry".
"ACS Law demanded around £400 from each of the people it accused of illegal file sharing, yet for a serious breach of data protection law, it gets a paltry fine of £1,000. This is utterly inadequate - the ICO should have imposed an appropriate sanction," said Deborah Prince, head of legal affairs.
"The ICO said that if ACS Law was still trading it would have imposed a penalty of £200,000. This beggars belief. It sends the message that businesses that commit a data breach can expect appropriate punishment, unless they dissolve their business, in which case they'll get off lightly," she added.