On 10 May 2011 the Information Commissioner imposed a £1,000 monetary penalty on Andrew Crossley, trading as ACS Law, for a serious breach of security that permitted over 6,000 individuals’ details to be accessible on an unsecured website. Already, there is much discussion on the internet as to the fairness of this penalty. Has justice been done?
Internet comment is not likely to be objective in the case of ACS Law, given that it was the law firm targeted by hackers for a distributed denial of service attack as retribution for its perceived aggressive approach to internet users claimed to be illegal copyright infringers (see the Wikipedia entry for ACS:Law). Andrew Crossley was reported to have made a profitable business pursuing copyright infringement cases – claiming he would be buying a Ferrari F430 Spider for cash. The monetary penalty of £1,000 amounts to less than 17p for each individual’s details that ACS Law left unsecured on its website as part of its recovery from the DDOS.
However, the Information Commissioner has made it clear that had ACS Law still been trading, he would have imposed a monetary penalty of £200,000 (the maximum that could have been imposed was £500,000). Clearly the Information Commissioner was satisfied by the written representation sworn on oath by Andrew Crossley to reduce the fine to the token £1,000 – much to the chagrin of many on the internet less willing to accept Crossley’s pleas of reduced financial circumstances.
Other data controllers ought to reflect on the factors considered by the Information Commissioner in making the monetary penalty. In particular, the lack of investment in appropriate security measures was a major factor, as was the lack of appropriate IT trained personal in the organisation. In addition, whilst spending serious money to remedy the security breach (in ACS Law’s example, spending £20,000 to fix the problem) was considered as a mitigating factor, it was obviously not that significant given the level of the final penalty.
Lawyers and law firms also ought to take particular note that as far as the Information Commissioner is concerned, they cannot expect any leniency for any breach by them of the Data Protection Act 1998 – “Data controller is a lawyer and should have been fully aware of his obligations under the Act.”