ICO Slaps ACS:Law With £1,000 Data Breach Fine

Controversial law firm ACS:Law has been hit with a £1,000 fine by the Information Commissioner’s Office (ICO) for its lax security that permitted a damaging data breach.

However the firm escaped having to pay a £200,000 fine, as the company is no longer trading.

“Andrew Jonathan Crossley – as data controller of the former law firm – has been served with a monetary penalty of £1,000,” said the ICO in its ruling.

Data Breach

The fine was issued after the website of ACS:Law was hit with a distributed denial-of-service (DDoS) attack last September. The attack exposed the unencrypted details of 6,000 broadband users, who reportedly signed up to BSkyB services and were thought to be illegally sharing pornography.

This included people’s ISP account details, their names and addresses, and their IP addresses, as well as information about the content they were alleged to have illegally copied. It also included some people’s credit card details, as well as references to their sex life, health and financial status.

Days later the ICO announced it would investigate the matter.

It subsequently found “serious flaws in ACS Law’s IT security system.”

“This case proves that a company’s failure to keep information secure can have disastrous consequences,” said Information Commissioner Christopher Graham. “Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”

ACS:Law is the now defunct law firm that had been tracking Internet users in the UK. It achieved notoriety for its letter-writing campaigns to individuals suspected of illegal file-sharing. This included a 78-year-old man, who was accused of illegally downloading pornography.

“As Mr Crossley was a sole trader it falls on the individual to pay the fine,” added Graham. “Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.”

Controversial Firm

It has been a torrid time for Andrew Crossley and ACS Law, although his plight will attract little sympathy.

ACS:Law specialised in pursuing alleged copyright infringement cases on behalf of copyright holders from the music, video games and adult film industries. The firm gathered the information from individuals’ Internet service providers (ISPs), and the firm was unapologetic for its threatening letter campaign which was branded as bullying and extortion by critics.

But Crossley’s legal cases against 26 defendants was effectively shot down in the courts. In December eight cases of alleged copyright infringement, brought by MediaCAT and represented by ACS:Law, were firmly rejected by the courts.

Despite this, ACS:Law and MediaCAT continued to pursue the issue, sending out letters in January this year claiming that ACS:Law was no longer acting on behalf of MediaCAT, and that further payments should be made to a company called GCB Limited. But later in the month it dropped its pursuit of file-sharers due to alleged threats.

In February the Patents County Court today, Judge Birss QC accused ACS:Law and MediaCAT of attempting to avoid public scrutiny by backing out of the cases, and cast doubt on the evidence of file-sharing.

And in April a judge in the Patents County Court ruled that an action against ACS:Law requiring the firm to pay defendants’ costs could go ahead.