In September 2010 ACS:Law published a backup of its email system to its public-facing website. The emails were subsequently downloaded and made widely available on the internet. Contained in the emails were a massive amount of confidential information. Most seriously the emails contained the names and addresses of many thousands of individuals that ACS:Law alleged had made unlawfully copyright works (often including pornography) available on peer-to-peer networks.
It has since been heard in court that the evidence upon which these accusations were based was extraordinarily unreliable and often simply wrong. Exactly how prone to failure these systems were is unknown but suffice to say that for a single law firm to generate in excess of five hundred complaints to its regulatory body in under two years indicates quite some significant degree of error.
The data leak was the singular most serious breach of personal data ever seen in the UK. The Information Commissioner’s Office began investigating the breach on Monday 27th September 2010, shortly after it took place. It was on 9th May 2011 that the ICO issued a Monetary Penalty Notice to Andrew Crossley, the sole solicitor, owner and data controller of ACS:Law. The amount of the penalty had initially been determined at £200,000 – to have been the largest ever issued, determining Crossley’s number-one spot in the list of unlawful breaches of the Data Protection Act. This was subsequently reduced by the ICO to just £1000; it transpires that a petition was filed for Andrew Crossley’s bankrupty by HM Revenue & Customs in December 2010 and the bankruptcy order was granted in May 2011.
Some, though, have questioned the delay the ICO took in reaching their determination. Following a series of requests of the ICO under the Freedom of Information Act there is some light to be shed.
What follows is a timeline of the events between the breach and the issue to Andrew Crossley of the Monetary Penalty Notice:
27/09/10 first ICO case file created (COM0351377)28 & 29/09/10 ICO to ACS Law - initial enquiries asking for response by 12/10/1008/10/10 response from ACS Law to ICO13/10/10 ICO to ACS Law requesting more information13/10/10 response from ACS Law20/10/10 ICO internal meeting – establishing further information required29/10/10 ICO to ACS Law requesting more information09/11/10 ACS Law to ICO – response to further enquiries01/12/10 ICO site visit to ACS Law offices21/12/10 Internal meeting to discuss decision and amount of any CMP23/12/10 Enforcement case created (ENF0366446)19/01/11 Notice of Intent sent by ICO to ACS Law28/01/11 ICO to ACS Law agreeing extension of time to make representations until 01/03/1101/03/11 ACS Law to ICO – representations in response to Notice of Intent09/03/11 internal ICO meeting to discuss representations21/03/11 ICO to ACS Law asking for further financial information and enclosing blank form to be completed07/04/11 ACS Law to ICO returning financial information14/04/11 ICO Internal meeting to discuss CMP20/04/11 ICO to ACS Law – advising will reduce penalty but requiring sworn affidavit03/05/11 ACS Law to ICO sending affidavit09/05/11 ICO to ACS Law sending Monetary Penalty Notice (MPN) (dated 09/05/11)06/06/11 Any appeal to the MPN should be lodged by this date as stated at the end of the MPN. Any extension of time to appeal is the decision of the Tribunal. The ICO will likely be informed of any appeal directly by the Tribunal.
I have carried out a little statistical analysis (download the spreadsheet here - feel free to add comments) of the periods of delay / waiting in this timeline in order to determine which parties are accountable for the time taken in reaching a conclusion. It is evident that both Andrew Crossley and the ICO have dragged their heels on this case.
The ICO unnecessarily delayed matters by, among other issues, agreeing (at Andrew Crossley’s suggestion) on the 11th November not to visit ACS:Law’s offices to progress the matter until the 1st December and extending the 21-day period for written representation in response to the Notice of Intent (to issue an MPN) by an additional 18 days; almost doubling the period laid down in statute.
A pie chart sets out where the delays happened. You can draw your own conclusions on this one: