Posted: 02nd Feb, 2011 By: MarkJ
The UK
Information Commissioner's Office (ICO) has dropped an investigation into BT ( PlusNet ) after the broadband ISP sent
unencrypted customer data for hundreds of users to
ACS:Law over allegations of internet copyright infringement, which was despite a
court requirement for the data to have been sent securely via optical media.
However the situation probably wouldn't have even seen the light of day had it not been for
ACS:Law's failed attempts to restore its website after a massive
DDoS attack took it offline (
here). During their restoration attempts the controversial solicitors firm negligently allowed a backup of its recent email archives to be exposed, which was promptly downloaded and spread across the internet.
As a result of that incident approximately 400 to 500 BT ( PlusNet ) customers found that their
private details had been left completely exposed, which might not have happened had BT encrypted the information, as per their own rules. Sky Broadband also ran into similar trouble with a list covering roughly
8,000 of its customers and that is still the subject of a separate investigation.
The situation prompted
Privacy International (PI) to lodge an official complaint with the ICO (
here). However
The Guardian reports that the ICO has now been forced to drop the case because
BT cannot be held responsible for an error by one of its employees and what happened to ACS:Law.
According to PI Advisor, Alexander Hanff (blog):"Let me make it clear that it is not unusual for the ICO not to exercise their enforcement powers, in fact it is an issue which has been raised by advocates and politicians over and over again. It has been clear for some time that the ICO are completely enveloped by regulatory capture and that Christopher Graham is not just out of his depth in his role as the Information Commissioner but is completely detached from the rest of his staff and is, in my opinion, completely unfit for that role.
However, what makes this latest decision by the ICO worse than their usual incompetence, is that the ICO have decided BT Group PLC are not responsible for the breach of the Data Protection Act because it was one of their employees who sent the unencrypted data (which, remember put BT Group PLC in breach of a Court Order).
This is an incredibly dangerous decision for the ICO to have made as it effectively dissolves any pretence that a company is responsible for the actions of their employees at work. Christopher Graham has, in essence, now created a Data Protection regime where companies will not be held responsible for the actions of their staff."
In fairness the complexities of the situation meant that this was always going to be a difficult case for the ICO to handle. Meanwhile ACS:Law holds the most responsibility for allowing the information itself to be leaked, although the firms owner (Andrew Crossley) recently claimed that their email had been "
hacked". That would be very difficult to investigate.
Last week the ICO revealed the results of a new survey, which found that
80% of people are concerned about their personal details online. The study also found that 96% of individuals surveyed are concerned that organisations do not keep their details secure, and a further 60% believe that they have lost control of the way their personal information is collected and processed :mixedup: .