IP, Technology & Data

The Information Commissioner has been criticised for levying a monetary penalty of just £1,000 against a law firm whose severe security shortcomings led to the sensitive personal data of 6,000 people being made available online.

ACS: Law, led by solicitor Andrew Crossley, was conducting a widespread speculative invoicing campaign which involved accusing thousands of people of illegal file sharing and charging fines (which Douglas discussed a few months ago). However, the scheme came unstuck when “hacktivism” group Anonymous took umbrage with Mr Crossley’s tactics and launched a “denial of service” attack. The attack made the ACS: Law website “collapse”, revealing details of individuals accused of illicit filesharing which had previously been hidden from unauthorised access.

Reports of the incident have suggested that the breach was aggravated because it revealed details of illegally downloaded pornographic films, meaning that not just any old personal data was disclosed, but “sensitive personal data” as defined under the Data Protection Act 1998, pertaining to individuals’ sexual lives.

Of course, as all diligent data protection lawyers know, details of the commission (or alleged commission) of any offence already constitutes “sensitive personal data” under the DPA. So I’m not really sure why the “midnight movies” needed to be mentioned at all. It wouldn’t be just to make an article about data protection seem a wee bit saucier, would it?

Information Commissioner Christopher Graham said that the severity of the breach would have warranted a fine of £200,000, but he believed that Mr Crossley was not in a position to pay. (The ICO does not have the power to audit people’s accounts, but instead obtained a sworn statement from Andrew Crossley on the state of his finances.)

Privacy campaigners are now concerned that the decision introduces a loophole for companies wishing to evade ICO monetary penalties. I’m not convinced. Surely pretending to be bankrupt is even worse for your reputation that failing to protect personal data?

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me