Fifth Data Protection Fine Issued

and it nearly ended up being the biggest so far. 

ACS Law, which has now ceased trading, had been pursuing alleged copyright infringement cases on behalf of copyright holders from the music, video games and adult film industries. Using information obtained from individuals` internet service providers, ACS Law had written to thousands of individuals who were alleged to have broken copyright law. 

The website operated by the former law firm was subject to a cyber attack September 2010 which led to a file containing emails between its staff, ISPs and members of the public appearing on a website with personal information relating to approximately 6,000 people. The information included individuals` ISP account details, their names and addresses, their IP addresses, their credit card details and information about the content they were alleged to have illegally copied. 

The ICO found that ACS Law had failed to comply with its security obligations under the Data Protection Act and was minded to issue a fine of £200,000 (the largest to date having been £100,000). ACS Law has since gone out of business, so the ICO instead took the decision to fine the owner, Andrew Crossley, £1,000 personally.

In issuing the fine, Information Commissioner Christopher Graham said:

"As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people's circumstances and their ability to pay into account."

Tom Morrison, Partner at Rollits LLP, said:

"Clearly most organisations would not wish to go out of business before they can avoid paying a hefty fine. Had ACS Law remained in business it would have had a bill for £200,000 to pay. The fines being issued are not small - the others so far have been for amounts between £60,000 and £100,000 and have arisen in circumstances which could catch out any business or organisation which has not taken care to ensure that its procedures are compliant with the Data Protection Act."

Posted on: 23/05/2011

This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.

Back to News articles
Back to News articles

Sign up to email news

Sign up to receive email updates and regular legal news from Rollits LLP.

Sign up