ACS Law is the UK legal practice under investigation by the Solicitors Regulatory Authority regarding enforcing claimed copyright infringement using the internet. The practice is responsible for the administration and distribution of letters to thousands of UK home owners claiming they have been downloading and/or sharing copyrighted materials without permission. The technique of using IP addresses as evidence of an individual’s guilt is highly suspect and has been the subject of much commentary even in the House of Lords.

ACS Laws activities however did not only attract the attention of its regulatory body. User groups, lobbyists, security specialists, IP specialists, privacy evangelists, the media and government all had something to say. However recently it drew the attention of elements, within the file sharing community, who struck back against the music and film industry and those supporting it to enforce copyright law. ACS Law web site was subjected to a  DDOS (distributed denial of service attack) which took it off line.

In managing the security incident ACS Law’s data protection policies and procedures have been found wanting. Re-instating the web site using backups resulted in an undisclosed number of files and databases being uploaded onto the web including a list of 8000 alleged copyright infringers belonging to BSkyB, 400 from PlusNet, credit card details and sensitive emails between all parties concerned. Not unsurprisingly this list has been copied and distributed without the alleged infringers, ISP’s and ACS Laws permission, all over the web

Whilst there is strong evidence to suggest that ACS Law, as a processor of data, has breached its statutory obligations under the Data Protection Act, I’m also left wondering what the legal ramifications are with BSkyB. The customer list belongs to BSkyB, as such it is their responsibility to ensure that third party suppliers, such as ACS Law, have appropriate measures in place to ensure the confidentiality of this information in line with data protection obligations and their own data protection policy. If data protection responsibilities have been outlined in business terms and conditions ACS Law should be as, and maybe more, concerned about an action for breach of contract by BSkyB.  BSkyB have already expressed their displeasure and it is reported to have “suspended co-operation with ACS Law … until ACS Law demonstrates adequate measures to protect the security of personal information”. This suggests that they did not seek or obtain such assurances in the first place. It is this issue which should concern BSkyB.  It is their responsibility to ensure that third parties, they release customer data to, have adequate security controls in place to prevent a breach of the confidentiality.

The lesson here is that whilst the Information Commissioner can levy a fine up to £500,000 the real damage may come in the form of the damages and court costs for breach of contract.