In an announcement today, the UK’s Information Commissioner’s Office (ICO) has revealed that Andrew Crossley, the former boss of ACS:Law, has been handed a penalty for his failure to ensure the security of sensitive data held on their computer systems.
As readers will be aware, last year the company succeeding in spilling the details of around 6,000 Internet subscribers onto an unprotected web page following a Denial of Service attack carried out by Anonymous.
“This case proves that a company’s failure to keep information secure can have disastrous consequences. Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress,” said Information Commissioner, Christopher Graham.
“The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”
The ICO revealed that Crossley did not obtain professional advice when setting up his systems, didn’t operate a firewall and used a web-hosting package intended for domestic users.
So how much, exactly, will be Crossley expected to pay for this complete failure to live up to his obligations? According to Graham, ACS:Law’s fine would have been £200,000 given the severity of their conduct, but there are mitigating circumstances.
“Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account,” Graham continued.
That’s a long-winded way of saying that Crossley is insisting he’s broke, so he can’t pay. Which is interesting.
PC Pro are reporting that they asked the ICO if they had taken steps to verify Crossley’s financial status but are yet to receive a response. Maybe the following will help.
Only last year Crossley was boasting of being a resident of Monaco and you need a few quid knocking around to achieve that. His taste in expensive cars has been well documented too. But there’s more.
Some time ago TorrentFreak acquired a copy of a document dated October 2010 where Crossley swore to a court that he had a “thriving and successful law firm” (this is after the data breach) that had collected more than £1.5 million in settlements. We know, from recent court proceedings, that he was collecting 65% of money recovered. You can do the math.
In the document Crossley also swore to jointly owning a £750,000 home and having £200,000 of work in progress at ACS:Law, yet now we are expected to believe that Crossley can only afford to pay £1,000 in fines.
That’s equivalent to just two of the £500 settlements he expected Internet users to cough up for the alleged sharing of a single 3rd rate movie, based on claims that were so weak that neither he nor his clients were prepared to see them through to conclusion in court. Yet he collected these settlements from thousands.
Disappointing decision by the ICO? You bet.