Kalen Lumsden is a JD candidate at Osgoode Hall Law School.

Andrew Crossley, the sole practitioner of ACS:Law has been fined £1000 for failing to properly secure the personal details of file-sharers targeted by his firm. Among the information leaked was the identities of individuals ACS:Law had threatened with legal action for file-sharing pornography.

The cause of the leak was the hacking of ACS:Law’s servers. Anonymous, a self-proclaimed group of activist hackers, have claimed responsibility. Andrew Crossley was found liable for failing to encrypt the personal information stored on his servers or otherwise meet a reasonable standard of security.

In Canada, personal information of the nature handled by ACS:Law requires protection through reasonable security measures. The Canadian Bar Association, in its Guidelines for Practising Ethically with New Information Technologies, recommends that lawyers “implement computer access restrictions (e.g. strong passwords and encryptions) to protect confidential information that is stored electronically.” The Law Society of Upper Canada, in its Practice Management Guidelines on Technology, states that “[l]awyers should have a reasonable understanding of the technologies used in their practice or should have access to someone who has such understanding.” Furthermore, the Guidelines state that to maintain legal and ethical obligations regarding confidentiality:

When using electronic means to communicate in confidence with clients or to transmit confidential messages regarding a client, a lawyer should

• develop and maintain an awareness of how to minimize the risks of disclosure, discovery or interception of such communications
• use reasonably appropriate technical means to minimize such risks
• when the information is extraordinarily sensitive, use and advise clients to use encryption software to assist in maintaining solicitor and client communications
• develop and maintain law office management practices that offer reasonable protection against inadvertent discovery or disclosure of electronically transmitted confidential messages.

ACS:Law’s business practice was considered contentious. Typically, it sent massive numbers of letters threatening legal action for file-sharing materials that were often embarrassing and then would offer settlement for £500. To say this tactic was unpopular would be an understatement. Many commentators equated it to extortion.

ACS:Law was essentially bankrupted by a recent high court decision, which forced Crossley to make good on his threats and take his prospective cases to court (previously discussed by IP Osgoode here). Faced with more litigation than it could handle and cases that wouldn’t actually stand up in court, ACS:Law was forced to cease trading. This is why the court imposed the fine of £1000 on Crossley personally instead of £200 000 on ACS:Law. According to Information Officer, Christopher Graham, who imposed the fine, this would be more appropriate considering that the private information of over 6000 people was breached.

Andrew Crossley faces disciplinary action under the UK Solicitor’s Act for his leading role in this debacle.

The rise and fall of ACS:Law is a case study in the ongoing debate surrounding the appropriate method of enforcing laws against file-sharing and whether the burden of copyright enforcement should fall on public agencies, such as the police, or the rightsholders themselves. ACS:Law can be viewed as an example of third-party private enforcement in the legal context of the United Kingdom. In the United States, Righthaven LLC, a private firm, has a similar business agenda. It usually acquires copyrights of images used in newspapers and then seeks legal enforcement of those rights, often through domain seizures of blogs who comment on the material. Whether Righthaven will meet the same ignominious end as ACS:Law remains to be seen.