ACS Law owner Andrew Crossley escapes with £1,000 fine from ICO

Andrew Crossley, owner of controversial law firm ACS Law, has been handed a £1,000 fine by the Information Commissioner's Office (ICO) after his company accidentally exposed the details of 6,000 people last year.

The data protection watchdog warned that the fine would have been £200,000 if ACS Law was still trading.

ACS Law sent out hundreds of letters to alleged illegel file sharers on behalf of rights holders demanding that the recipient pay up or face court action.

However, when the time came to take the accused to court, the law firm appeared to lose its nerve, after it emerged that many of those suspected were believed to have been wrongly accused on little evidence.

Crossley then dropped the cases after complaining of death threats against him and his family, and the firm was closed down in February.

However, the ICO fine goes back to September 2010, when ACS Law's site was hacked, causing it to crash.

After the attack, a file appeared on the site containing internal ACS Law staff emails, and emails to and from ISPs or members of the public, allowing anyone who downloaded the files access to around 6,000 people's sensitive personal information, the watchdog explained.

Information including names, addresses, credit card details and even references to the accused file sharers' sex lives and health were exposed.

The ICO said that it found "serious flaws" with the law firm's IT security system. For example, the site was hosted on a domestic hosting package and did not even include basics such as a firewall and access controls.

Crossley escaped a £200,000 fine from the ICO only because he is now a sole trader, the watchdog said.

Information commissioner Christoper Graham argued that the case proved that a poor attitude to data protection can have "disastrous consequences".

"Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress," he said.

"The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details."

Although the ICO said it planned a £200,000 fine if the company had still been trading, the case might be used by critics of the watchdog as proof that it is still pulling its punches when it comes to enforcing financial penalties.

Sam Jardine, an associate at international law firm Eversheds, argued that the £1,000 fine was a "token slap on the wrist for a broken business".

"The ACS Law debacle has highlighted the need for businesses to have robust IT security in place when their systems contain personal data," he said.

"The Data Protection Act requires all data controllers to have 'appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data'."