Sunday, 12 June 2011

ACS:Law Data Breach: How the ICO Took Eight Months to Reach a Conclusion

In September 2010 ACS:Law published a backup of its email system to its public-facing website. The emails were subsequently downloaded and made widely available on the internet. Contained in the emails were a massive amount of confidential information. Most seriously the emails contained the names and addresses of many thousands of individuals that ACS:Law alleged had made unlawfully copyright works (often including pornography) available on peer-to-peer networks.

It has since been heard in court that the evidence upon which these accusations were based was extraordinarily unreliable and often simply wrong. Exactly how prone to failure these systems were is unknown but suffice to say that for a single law firm to generate in excess of five hundred complaints to its regulatory body in under two years indicates quite some significant degree of error.

The data leak was the singular most serious breach of personal data ever seen in the UK. The Information Commissioner’s Office began investigating the breach on Monday 27th September 2010, shortly after it took place. It was on 9th May 2011 that the ICO issued a Monetary Penalty Notice to Andrew Crossley, the sole solicitor, owner and data controller of ACS:Law. The amount of the penalty had initially been determined at £200,000 – to have been the largest ever issued, determining Crossley’s number-one spot in the list of unlawful breaches of the Data Protection Act. This was subsequently reduced by the ICO to just £1000; it transpires that a petition was filed for Andrew Crossley’s bankrupty by HM Revenue & Customs in December 2010 and the bankruptcy order was granted in May 2011.

Some, though, have questioned the delay the ICO took in reaching their determination. Following a series of requests of the ICO under the Freedom of Information Act there is some light to be shed.

What follows is a timeline of the events between the breach and the issue to Andrew Crossley of the Monetary Penalty Notice:

27/09/10                first ICO case file created (COM0351377)
28 & 29/09/10        ICO to ACS Law - initial enquiries asking for response by 12/10/10
08/10/10                response from ACS Law to ICO
13/10/10                ICO to ACS Law requesting more information
13/10/10                response from ACS Law
20/10/10                ICO internal meeting – establishing further information required
29/10/10                ICO to ACS Law requesting more information
09/11/10                ACS Law to ICO – response to further enquiries
01/12/10                ICO site visit to ACS Law offices
21/12/10                Internal meeting to discuss decision and amount of any CMP
23/12/10                Enforcement case created (ENF0366446)
19/01/11                Notice of Intent sent by ICO to ACS Law
28/01/11                ICO to ACS Law agreeing extension of time to make representations until 01/03/11
01/03/11                ACS Law to ICO – representations in response to Notice of Intent
09/03/11                internal ICO meeting to discuss representations
21/03/11                ICO to ACS Law asking for further financial information and enclosing blank form to be completed
07/04/11                ACS Law to ICO returning financial information
14/04/11                ICO Internal meeting to discuss CMP
20/04/11                ICO to ACS Law – advising will reduce penalty but requiring sworn affidavit
03/05/11                ACS Law to ICO sending affidavit
09/05/11                ICO to ACS Law sending Monetary Penalty Notice (MPN) (dated 09/05/11)
06/06/11                Any appeal to the MPN should be lodged by this date as stated at the end of the MPN. Any extension of time to appeal is the decision of the Tribunal. The ICO will likely be informed of any appeal directly by the Tribunal.

I have carried out a little statistical analysis (download the spreadsheet here - feel free to add comments) of the periods of delay / waiting in this timeline in order to determine which parties are accountable for the time taken in reaching a conclusion. It is evident that both Andrew Crossley and the ICO have dragged their heels on this case.

The ICO unnecessarily delayed matters by, among other issues, agreeing (at Andrew Crossley’s suggestion) on the 11th November not to visit ACS:Law’s offices to progress the matter until the 1st December and extending the 21-day period for written representation in response to the Notice of Intent (to issue an MPN) by an additional 18 days; almost doubling the period laid down in statute.

A pie chart sets out where the delays happened. You can draw your own conclusions on this one:


  1. Another great post on the Speculative Invoicing saga. Thanks Will, would you mind if I use some of your info in a forthcomming post on my Blog?

    It would seem the ICO have come out of this in a pretty bad way, very shoddy work on their side of things.

  2. Excellent piece of research, well done.Did details of any meetings between the ICO and HMRC to discuss Mr Crossleys finances show up in the information you received under your FOI request?

  3. Hickster: You're very welcome to use the information.

    Anonymous: There wasn't any information on meetings between the ICO and HMRC and I'm inclined to think none took place (I would have expected it to be in the list of actions if it had been). That said, Andrew Crossley was required to fill out a very comprehensive multi-page form specifying financial information. The ICO would have ended up very well informed to to AC's financial status.

  4. Great work. You should post this elsewhere on the internet so that as many people as possible see it. And of course send to any official sources that may bring about change, e.g. whoever oversees the ICO, other Gov. officials.