ACS:Law and the file sharing lists ..

30Sep Data Protection Act, Policy No comments

Protecting your business

Rather than speculate whether the Information Commissioner's Office is finally going to 'discharge its weapons' I thought it would be interesting to look at the realities of protecting your own business from a similar fate.

Internet activists, 4chan, targeted ACS:Law during what it called Operation Payback and appear to have 'acquired' the comapy email database as a result of its attack. The ICO will now be looking closely at Section 55a of the data protection Act 1998; so should you.

Has there been a breach of the DP Principles? Yes principle 7.

Was the breach likely to cause substantial damage OR substantial distress? The OR is VERY important. The Act allows individuals to seek compensation for distress only if they can demonstrate damage. Section 55a does not require damage, leaving the way for the ICO to impose a monetary penalty if individuals are likely to be distressed by the breach. What do you think, I think they're likely to be distressed!

Should or ought ACS:Law have recognised the risk that their email and web servers were liable to attack? Yes; my nine year old spotted that one!

Now the Clincher. Can ACS:Law demonstrate that they took reasonable steps to prevent the attack?  There's a lot resting on their answer.

How would you answer the question?

Have you carried out attack and penetration testing? What documentary evidence would you rely upon to demonstrate your due dilligence, your reasonable steps. Got any?

And then there's the encryption 'noise' that surrounds this case.  BT (PlusNet) sent the spread sheet unencrypted to AC:Law. OK, not a smart move and arguably a breach of P7. But the file made it to its intended recipient. Were it encrypted, what do you think the recipient would do? How about decrypt it, open the file and put in in C:// or a network share. The fact that it was not re-encrypted after opening means it remains vulnerable to the likes of a 4chan attack.

Are we really going to go to these lengths? I think not. So how will you create a digitally secure repository for sensitive files?

Food for thought, as always.

About the author

Written by

Information law and privacy 'lead' at iCompli Limited

Comment on this post