ACS Law Data

September 28, 2010

The ongoing saga of the ACS Law data loss has highlighted the dangers in passing any confidential information that is not encrypted by e-mail. It also suggests that acting for clients who want to enforce copyright is tough. And it has left me wondering if the word ‘leak’ has suddenly lost all meaning.
As I write this, the latest on the BBC is {here: http://www.bbc.co.uk/news/technology-11434809} and I do not propose to rehash the facts. By the time you read this, there may be another development anyway.
I may be out of step, especially as I remain out of the UK and unable to gauge all reactions, but I find myself feeling rather more sympathy for Andrew Crossley than might be expected.

The sympathy is partly based on some massive over reactions. I fear that the Information Commissioner Christopher Graham may have been one of the people carried away in the moment when he threatened a large fine at a very early stage. He said ‘I can’t put ACS: Law out of business, but a company that is hit by a fine of up to half a million pounds suffers real reputation damage.’ It did rather sound like he wished he could put ACS out of business. A later official statement from the ICO said: ‘The ICO takes all breaches of the Data Protection Act very seriously. Any organisation processing personal data must ensure that it is kept safe and secure. This is an important principle of the Act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken.’
I have been sent a number of press releases from security firms revelling in the breach and selling their services (Amichai Shulman, CTO of Imperva, was an honourable exception). I have seen the odd comment from those who do not much like action against illegal file-sharers which is downright gleeful. Sadly, I have even seen some ill-informed ’bandwagon’ comment from law firms that really should know better. The description of what has happened as a ‘leak’ has especially irritated me. If a bomb lands in my garden and the water pipes burst, we may have a leak but it is hardly the description that springs to mind first. If my bank complains about my lax security, leading to the loss of my credit cards, when I have been mugged by three members of the SAS, I would feel aggrieved. It is a bit like that with ACS.

I don’t have a brief for ACS. I interviewed Andrew Crossly some time ago, when ACS entered the mass enforcement market, and was quickly convinced that, though certainly no caped crusader, he was a lawyer in business trying to turn a profit and not a villain (unless one takes the view that lawyers wanting to turn a profit are generally villains). ACS did a job and, as the law stands, someone was going to do it. They have not armed themselves with security that would suit Fort Knox and MI5 but I am guessing that they are not the only law firm guilty of that. The exposure of the allegations of downloading of porn was not an action of ACS but of those fighting for a freedom that confuses free beer with free access to bars. Those who have suffered a loss of reputation as a result will do well to focus their anger on the revealers of that information as well as on ACS.