Exposed on the Internet

The actions of anonymous online communities can often be as powerful as they are vindictive, as one UK law firm found to its cost in September 2010.

The firm specialises in intellectual property law, and one of its business practices is to issue £500 fines to individuals suspected of sharing copyrighted material online. This attracted the ire of the file-sharing community, and in September 2010 users of the controversial message board site 4chan launched a denial-of-service attack against the firm.

As ACS:Law tried to get its site back online, it appears to have accidentally published the personal details of thousands of Internet users suspected of sharing copyrighted material online, specifically music and pornography. In a twist of Internet irony, a volume containing all of that personal data soon appeared on a popular file-sharing website.

The episode exposed a number of questionable data security practices by the firm. And it also emerged that Internet service providers BT and Sky had previously sent users’ unencrypted personal data to ACS:Law via email.

The ACS:Law case has also exposed a serious flaw in data protection legislation. Many of the users whose personal details have been published online have potentially been defamed as law-breakers – something that current legislation seems not to cover.

“The law needs to be changed in this country to allow victims of data breaches to sue for compensation on grounds of defamation, not just financial loss,” commented Tony Dyhouse, director of cyber security at the government’s Digital Systems Knowledge Transfer Network. “At the moment, you can only seek compensation for loss of reputation once financial loss has been proven. This can’t be right.”

The ICO is currently investigating these events. “The question we will be asking is how secure this information was and how it was so easily accessed from outside,” said commissioner Christopher Graham. “We’ll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing.”

Jim Killock, executive director at digital privacy lobbyist the Open Rights Group, says the case exposes deficiencies in the UK’s data privacy regulations

It’s going to make people sit up and wonder whether UK law is really adequate and protecting citizens.

Clearly, [the leaked data] is very sensitive information that on one level might result in embarrassment, but on another could cause a life-changing and devastating effect. People are collecting information that is not related to them, and they’re doing it with pretty much the tacit permission of government. It’s happening without proper regulation and without people considering the real consequences of what they’re doing.

Bridget Treacy, head of UK privacy and information management at law firm Hunton & Williams, says ACS:Law could face a number of legal complaints as result of the breach

The Data Protection Act gives individuals the right to compensation from data controllers for damage caused by any breach of the Act. Very few claims for compensation have been brought by individuals under the Act, [however], because of the difficulty of proving that the particular breach caused damage. Individuals typically complain to the ICO, rather than suing for damages.

This case may well be different. There may be claims for defamation and for breach of confidentiality, and not merely for breach of the Data Protection Act.

Peter Done

Peter Done is managing director of Peninsula Business Services, the personnel and employment law consultancy he set up having already built a successful betting shop business.

Related Topics