Home » News » ICO fines former ACS Law owner for lax IT security
 

Main Menu

Solutions and Services

Case Studies

Accreditations

  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
ICO fines former ACS Law owner for lax IT security Print E-mail

The owner of former solicitors firm ACS Law has been served with a monetary penalty from the Information Commissioner’s Office (ICO) for failing to keep sensitive personal information secure.

Andrew Crossley – as data controller of the former law firm - has been served with a monetary penalty of £1,000.  However, Information Commissioner, Christopher Graham, has stated that, were ACS Law still trading the fine could have been as high as £200,000.

Graham said: “This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress. The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.

 “As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.”

In September 2010, the web site of ACS Law was subjected to an online attack which caused it to crash. After the attack a file containing emails between ACS Law staff, and some to and from ISPs or members of the public, appeared on a website which allowed anyone who downloaded the file access to around 6,000 people’s sensitive personal information.

The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use.  While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.

You can see the full penalty notice against Mr Crossley on the ICO's web site.