Thursday, September 30, 2010

Law Firm Facing Government Fine for Data Breach

We've commented several times on growing data privacy and confidentiality management trends. (See recent posts on client and regulatory drivers: [1] [2] [3]). Now comes a story of a recent law firm breach and the potential impact -- The UK law firm ACS:Law may be fined as much as £500,000 by the UK Information Commissioner’s Office in response to a recent data breach.

The firm had undertaken a programme of sending out letters to those allegedly sharing copyrighted material on the internet, asking individuals for £500 per infringement or threatening potential court action. According to the BBC, their system may have been inaccurate and their tactics inappropriate:
  • A BBC investigation in August found a number of people saying they were wrongly accused by ACS:Law of illegal file-sharing. UK consumer group Which? says it has also received a number of complaints. Many contest that IP addresses can be spoofed.
  • ACS:Law is under investigation by the Solicitors Regulation Authority over its role in sending letters to alleged pirates.
Recently, a confederation of internet activists attacked the law firm and "hacked" servers, revealing personal information that was not properly secured. As UK Information Commissioner Christopher Graham stated:
  • "The question we will be asking is how secure was this information and how it was so easily accessed from outside. We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing."
A lesson to any law firm or organisation that holds information subject to data privacy rules to review their confidentiality management controls and practices.

No comments:

Post a Comment