The UK’s Information Commissioner’s Office today announced that it was fining Andrew Crossley of the now defunct ACS Law £1,000 for failing to keep secure sensitive personal information about 6,000 people.
The Information Commissioner, Christopher Graham, was particularly critical saying, “The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”
If ACS Law had still been trading, the fine could have been as high as £200,000. As Andrew Crossley was trading as a sole trader under the name ACS Law, it falls on him to pay as an individual.
Previously, ACS Law had been pursuing alleged copyright infringers on behalf copyright holders, including some from the adult entertainment industry. Its main tactic had been to send out letters to the alleged infringers, “encouraging” them to settle outside of court. Apparently over £1 million was raised through this tactic with 65% of the money going to ACS Law and only 35% going to the copyright holders (as reported by the BBC.)
Last year ACS Law’s IT systems were attacked by a distributed denial of service attack (DDoS) which brought down their website. When the site was restored, for a short time a backup file was easily available for download by anyone. This file contained Excel spreadsheets with information on around 13,000 alleged file sharers, including those accused of downloading pornography.
More from the press release…The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.
Overall, a pretty damning report. However, even if ACS Law is no longer trading, one can’t help feel that Andrew Crossley’s £1,000 fine is too small given that around £650,000 was raised by ACS Law by threatening alleged copyright infringers with legal action. I wonder what the average cost to settle was in comparison?