There are few positive words if any I could use to describe the Information Commissioners Office (ICO). There are far better negative ones. “As much use as a chocolate teapot”, “Like an ashtray on a motorcycle”.
Indeed the ICO are SO inept it would be hard to imagine them being able to “Hit any water if the fell out of a boat”.
What has stirred my ire against the ICO? Is it the fact that they spent EIGHT MONTHS investigating one of the BIGGEST DATA leaks in English History? or the fact that they concluded with a £1000 fine that if the perpetrator was good enough to pay quickly he could get a discount of 20%? Was it the sheer arrogance of the ICO when phoning them up to report a company NOT registered with them that they suggested that their register was “Voluntary” and that they “Did not chase people” who “Had not registered” with them?
NO This is what has angered me.
Can you believe it, after countless people told the ICO that ACS LAW were NOT registered as a Data Handler, when it came to their renewal the ICO wrote THREE TIMES only for Andrew Crossley to ignore them, then only seemed to notice that they should send a “Final” warning as it then occurred to the ICO that they were “..dealing with the security incident you have just experienced”. How much is it to renew your registration? £35
ACS LAW and Andrew Crossley acted with shocking disregard to the General public and their personal details, but WHO allowed them to get away with it for so long? Do you REALLY feel your information is secure with such an inept body as the ICO guarding it?
I sent the Information Commissioner’s Office (ICO) an email regarding their investigation into the ACS:LAW Data Leak.
The email contained a few simple questions.
1: Why is ACS:LAW/Andrew Crossley still registered at 20 Hanover Sq London as a Data Controller.
2: Do you think it is appropriate to offer Mr Crossley a 20% for early payment of his fine?
3: Do you think that Mr Crossley may have been in a better position to pay his fine had the ICO not taken so long to conclude it’s investigation?
The reply I got from the ICO after 14 days was this.
An obvious template response, I even got the ICO’s ACS:LAW FACT SHEET. And (wait for it) How to get compensation from ACS:LAW!!! (See Below)
Well of course my thinking was that if the ICO thought that it was only worth under 20p for everyone who has had their details leaked then imagine the Compo I would get from ACS:LAW I mean I might even get a penny a WHOLE Penny. Wow well it truly has got me thinking until of course I realised that even the cheapest postal stamp (36p) would be many times my compensation, and incidentally more than the ICO fined ACS:LAW per individual.
There has been talk by Christopher Graham the head of the ICO that he would have liked to have fined ACS:LAW £200,000 but of course that was proven to be merely a dose of hot air. (See question 2)
Mr Graham in fact has been in the news a few times since regarding other “Data protection issues” and again appears to be a mighty knight roaring about the rights and wrongs of the issue and how people should protect data, but he wields a foam sword.1 2
Maybe it is not his fault, maybe the ICO is handcuffed by legislation as Mr Graham seems to believe. One thing is sure, I and many others have been through too much disruption in our lives to leave this alone now, we have invested the most precious of commodities know to humans, that of TIME, we did not ask Mr Crossley and his ACS:LAW “clown asses” to invade our lives with their preposterous allegations.
A investigation into ACS:LAW by PCPRO this week was revealing and showed how Andrew Crossley had shown the ICO to be mugs. An ICO spokesperson had told ZDNET “The £1,000 reflects his financial condition. He did drive a Bentley at one point, but he doesn’t now.” Well guess what PCPRO saw when they turned up at Crossley house? The Bentley still on his drive.
We are now over two years into this now and those accused by Davenport Lyons into their third year. This whole situation has been a travesty of Justice, where the bad guys have been allowed to accuse thousands, leak their details and remain in a good position when they should be skulking back to the rock they crawled from.
There is still light though, on Tuesday this week (31st May) Dave Gore and Brian Miller the two Solicitors accused by the Solicitors Regulation Authority(SRA) will stand before their Disciplinary board (SDT) to answer for their actions in pursuing people they KNEW to be innocent. Andrew Crossleys date is also coming soon. There is real hope that partial justice may be done to these people.
It remains to be seen wether the SRA will act in a proper way and not in the way that the ICO has acted like a “Toothless Tiger”
When the ACS:LAW scandal broke, the lives of thousands of people were turned upside down, up until that point people had been upset with letters threatening to take them to court for fictitious file sharing,
But September last year things turned even more bizarre as ACS:LAW released an archive of their emails online. This date breach exposed up to 10,000 peoples names addresses and credit card details alongside their names being linked with vile pornographic material.
Indeed the ICO had been given powers to fine companies £500,000, they messed up with the BT data breach because they said that It was an individual at fault and NOT BT, Hmmmmm. Things did not bode well for the ACS:LAW investigation.
The ICO decided the case against ACS:LAW stating:
“The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”
Wow powerful stuff right?
The ICO went on
“As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.”
“Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed”
Hmmm so Crossley gets to CLOSE his company the very action which brought derision from Judge Birss along with many man people who had been affected by his nasty letters, and he gets off with a grand to pay becuase of this deception?
The ICO goes on to say:
The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure.
While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.
This is worse than outrageous, as ACS:LAW actually used the fact that people had not secured their home systems and used the fact against them. They did not care if an elderly person had not secured their router or modem or their computer, it was the persons fault and they were held to account for being negligent by ACS:LAW.
Andrew Crossley must be laughing at this and the rest of us now. A measly £1000 penalty for a man who bragged of making over £1,500,000 in a year, and who lavished expensive cars on himself and his girlfriend, this is a joke. A man who lives in a 7 bedroom house worth nearly a million pound yet he pleads poverty? The ICO has let us all down. They are unfit for purpose.
Indeed £1000 is less than the price of just two of his letters that he sent out to the general public.
The interview with Christopher Graham can be seen here, please don’t hold a hot drink whilst watching the sheer disconnect between the interview and the reality might just choke you.
UPDATE: To add insult to injury it is revealed that IF Andrew Crossley pay his “Penalty” by June 6th 2011, he will receive an “Early pay Bonus” of 20% meaning he will only have to pay £800.
UPDATE 2 :See below for the ICO Ruling
UPDATE 3: For those of you who wish to comlain about this ruling
To Complain to the ICO themselves: http://www.ico.gov.uk/complaints/satisfied_with_our_service/complaints_and_compliments.aspx
To write to your MP: http://www.writetothem.com/
If a Man claims that he won’t burgle a shop, and has “Safeguards” to prevent himself from doing so, but then burgles the shop anyway, can you imagine a Judge saying, “Oh that’s ok, you had ‘safeguards’ so that you wouldn’t do it, the fact you HAVE done it is irrelevant”, can you see this happening? No of course not, but in what can only be described as a “parallel universe” ruling, the Information Commissioners Office (ICO) has done just that.
BT who sent details of their Subscribers to ACS:LAW, didn’t even encrypt the Excel Documents. ACS:LAW had gone to Court with a list of IP addresses claiming that they belonged to “Copyright Infringers”, BT WITHOUT mounting ANY defence at Court to defend their Loyal subscribers, sent the documents to ACS:LAW with NO protection whatsoever.
The Documents contained the following information on over 400 Subscribers their names, Postal address, IP Address, Alleged date of infringement (Hit Date), Time (UK Date Time), and the Content Name.
On the Plusnet Forums, angry Subscribers wanted answers, they still do. A thread on the forum has attracted 130 pages, over 2000 replies and close to 100,000 views. They have STILL not got the answers regarding ACS:LAW. True Plusnet HAVE engaged with their subscribers on the forum, but they are stuck with having to deal with this issue via the BT Legal Team.
The ICO speaking to the Guardian said, The ICO closed its investigation into the apparent data breach earlier this month after ruling that BT was not liable for the mistake, which it said was committed by one of its employees. It added “Where it is found that the data controller has adequate policies and safeguards already in place, the usual and most appropriate outcome in these cases is disciplinary action taken by the employer”
Well we KNOW who that Employee is, his name is Prakash Mistry, he is the Senior Finance Manager at BT. Not sure about you, but I really don’t see much discipline happening there, do you? No ICO has acted shamefully in this, as the Solicitors Regulation Authority have in regards to ACS:LAW.
There seems NO justice for the man on the street in all of this and seems a classic example of a Corporation flouting the rules with impunity.
A letter from Prakash Mistry to ACS:LAW requesting a “Report”(A requirement of the NPO order RE Plusnet) into how many people had been taken to court, was met by an arrogant letter accusing those requesting the report on the forums were;
“… written by pro-piracy advocates with their own specific agenda” and “our client is taking away a method of obtaining their members copyrighted works without paying for them and that upsets those who have enjoyed free media this way”
These were outrageous slurs on their subscribers, met with SILENCE by BT.
These concerns of course can be dismissed, BT being a corporation (No soul to damn, no ass to kick) and ACS:LAW a one man band, whose Boss Andrew Crossley is now discredited in the eyes of many.
What can’t be dismissed is the LACK of protection afforded to those affected by the ICO, as with the SRA it seems they are toothless; ball-less, impotent shadows, paper tigers with all the bluster of action but with the movement and intent of a slug.
UK Information Commissioner Christopher Graham told the BBC he had new powers, to act with fines,(Regarding ACS:LAW) of up to £500,000, but much like the BT “Safeguards”, that only works IF IT IS USED! Can we really look forward to the ICO doing much better with the case against ACS:LAW? We wait and see, but not holding any breath.