The Information Commissioner's fining of solicitor Andrew Jonathan Crossley is interesting in several respects and contains an important message for many small businesses.
The £1,000 fine was announced by the Information Commissioner's Office (ICO) today in a press release.
Mr Crossley was the owner of the law firm ACS Law, which has recently ceased trading. The firm gained widespread exposure for its aggressive pursuit of those alleged to have infringed copyright through peer-to-peer file sharing activities in recent years. It seems that many of those pursued by the firm were probably innocent and I understand that the only successful prosecutions in this matter were won by default when the defendants failed to appear in court.
In September 2010, ACS Law's web site was seriously attacked, causing it to crash. In the subsequent aftermath, a backup file containing emails between ACS Law's employees and other parties appeared on the web site, which allowed anyone to access around 6,000 people’s sensitive personal information. These emails included credit card details as well as references to people’s sex life, health and financial circumstances.
The Information Commissioner, Christopher Graham, has made it very clear that had ACS Law still been trading then the fine could have been as much as £200,000: "Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach".
I feel this fine is important because it shows that the ICO is prepared to fine SME organisations large amounts and is also prepared to pursue their owners in cases of serious breach where the owner is a sole trader.
The Information Commissioner stated that: "The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details". I am often shocked about how poor security is at SME organisations. Many SME business leaders do not listen to advice about security matters. I am also afraid to say that many IT suppliers also do not care about security, preferring to close a sale at any cost. They often fail to make their customers aware of the risks they face, taking a view that it is the customer’s problem if they don't recognise or understand the issues at stake.
Worse still, many SME firms run their IT systems on a shoestring, avoiding professional advice wherever possible, and only bring in competent support when things really become dire.
It is clear that Mr Graham takes a rather dim view of this approach to managing a company's IT infrastructure. He makes it clear that "Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law's web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure." The Information Commissioner clearly believes that if you are going to use IT systems then you should do it properly and not on a shoestring.
If anything, this fine also highlights the importance of taking proper advice and may presage a greater use of Chartered IT Professionals.
The message must be that if you use IT in your business (whatever your firm's size), you must take proper advice, you must not try to cut corners and you must not treat IT security in a cavalier fashion.