The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.
Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website. The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.
UK Information Commissioner Christopher Graham told BBC News yesterday, “The question we will be asking is how secure was this information and how was it so easily accessed from the outside. We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing.” He continued, “I can’t put ACS:Law out of business, but a company that is hit by a fine of up to half a million pounds suffers real reputation damage. Firms have to think about how this looks to their customers and our citizens.”
The ICO is in the process of investigating the data breach before deciding whether enforcement action, including a fine of up to £500,0000, is appropriate. Despite having gained the power to impose fines in April 2010, the ICO has yet to fine an organization for a serious breach of the UK Data Protection Act 1998. There has been speculation that this case may result in the UK’s first fine, although sources at the ICO have indicated that there are other serious breaches already under investigation, where fines may ensue.
Update: On May 10, 2011, the ICO announced that it was fining the data controller of the former law firm £1,000 for failing to implement adequate security measures. Commissioner Graham indicated that, were it not for the fact the firm is no longer in business, the fine would have been £200,000.