Business News Legal Top Stories

File-sharing law firm could be fined half a million for alleged data protection failures after 4chan attack

By | Published on Tuesday 28 September 2010

ACS:Law, the London-based legal firm that has been much criticised for its work in the sue-the-fans anti-file-sharing domain, could face a fine from the Information Commissioner after hackers were able to acquire and publish a list of thousands of Sky web users (reports say between 4000 and 5000) and the porn they were accused of illegally accessing via P2P networks.

Which? magazine raised concerns about ACS:Law earlier this year after various web users argued they had been falsely accused of infringing the copyrights of the content owners represented by the legal firm. Because the lawyers represent a number of porn companies, some accused the legal men of basically intimidating people into out of court settlements even when the case for infringement was weak, because those targeted would be nervous of going to court given the nature of the content they were accused of accessing.

Such claims may have been unfair, though according to the BBC the Solicitors Regulation Authority is reviewing ACS’s letter-sending activity. Either way, ACS and the company’s main man Andrew Crossley have been unrepentant about their strategy of profiting from the sort of file-sharing litigation that has been widely disregarded by the mainstream music industry which sees it as a costly, time consuming and inefficient way of dealing with the file-sharing problem. It’s not clear if ACS represents any music companies.

It was Crossley’s public advocacy for sue-the-fans litigation that made him enemy number one among the ever proactive pro-file-sharing community, and which has led to ACS’s current woes. Users of the previously reported 4chan community made the legal firm’s website and servers a target for their latest cyber attack, and it was as a result of that attack that a stack of very confidential lists – seemingly including names, contact and credit card information, and details of the porn users were accused of accessing – got published onto the net.

Although ACS is, in effect, the victim in this story, the organisation could still feel the wrath of the regulator if it’s shown that a slack approach to data protection enabled the hackers to gain sensitive information. Campaign group Privacy International has said that under the Data Protection Act such sensitive data should never have been stored on a public-facing server.

The BBC quote UK Information Commissioner Christopher Graham, who says: “The question we will be asking is how secure was this information and how it was so easily accessed from outside. We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public-facing”.

He continued: “The Information Commissioner has significant power to take action and I can levy fine of up to half a million pounds on companies that flout the Data Protection Act. I can’t put ACS:Law out of business, but a company that is hit by a fine of up to half a million pounds sufferers real reputation damage”.

Crossley has given only brief comment to reporters about the data leak, saying he can’t discuss the case in detail for legal reasons, but confirming that he has informed the police about the hack and has spoken to the Information Commissioner’s office. In the meantime, he told journalists, “it’s business as usual at ACS:Law”.

ACS’s woes do not affect the music industry directly, given we don’t know of any music companies hiring their services. But given privacy concerns are often given (albeit not always entirely convincingly) by the net sector as a reason for resisting calls to be more proactive in the battle against file-sharing, the fact one legal firm has managed to leak the details of so many Sky customers will provide more ammunition for the Talk Talks of this world as to why they should not have to participate in any new anti-piracy initiatives, include three-strikes.