ACS Law could face £500,000 fine over leaks

Following the leak of of a large e-mail archive from anti-piracy law firm ACS Law, the Information Commissioner has weighed in - and hasn't ruled out financial sanctions against the company.

After an attack designed to take the site offline, carried out by cyber-vigilante group Anonymous in retaliation for the company's campaign of threatening legal action against file sharers, a mistake by ACS Law's administrators left internal documents - including a large archive of e-mail - accessible by the public.

The e-mails contained a treasure trove of information for those campaigning to stop the practice of sending demands for money to those accused of sharing copyright content on-line under threat of legal action which never seems to materialise - but it also held personally identifiable information for around 10,000 UK-based individuals, many of whom are accused of downloading and sharing hardcore pornography.

The leak has left ACS Law accused of failing to protect information as required under UK privacy laws, with international watchdog Privacy International reporting the company to the Office of the Information Commissioner.

Speaking on BBC Breakfast, the Information Commissioner Christopher Graham said that he will not "rush to judgement" on the case, but that it certainly appears that ACS Law could be culpable for the breach.

During the interview, Graham discounted the issue of copyright and the pornographic aspect of the accusations, reiterating that his office is only interested in ACS Law's responsibilities under the Data Protection Act. "All companies have to take their responsibilities very seriously," he said, and explained that his office will be "asking questions about the adequacy of encryption of information, the firewall, the technology - but also the training within the company and what all that information was doing so public-facing and easily accessible."

Distancing his office against the campaigning that is following the case - from both sides of the copyright fence - Graham stated that he was only interested in the privacy implications of the breach, and confirmed that he holds the power to "levy fines of up to half a million pounds against companies that are flouting the Data Protection Act."

Describing ACS Law's possible defence of being subject to an attack at the time of the breach, Graham explained, "that excuse doesn't wash," and that "anyone who holds personal information has to take their responsibilities seriously or there will be trouble."

From Graham's comments, it certainly looks like ACS Law could be for the high jump in this particular case - and a £500,000 fine will put quite a dent in whatever proceeds the company made from its anti-file-sharing activities.