The Information Commissioner's fining of solicitor Andrew Jonathan Crossley is interestingin several respects and contains an important message for many small businesses.

The£1,000 fine was announced by theInformationCommissioner's Office (ICO)today in apressrelease.

Mr Crossley was the owner of the law firm ACS Law, which has recently ceased trading.The firm gained widespread exposure for its aggressive pursuit of those alleged tohave infringed copyright through peer-to-peer file sharing activities in recent years.It seems that many of those pursued by the firm were probably innocent and I understandthat the only successful prosecutions in this matter were won by default when thedefendants failed to appear in court.

In September 2010, ACS Law's web site was seriously attacked, causing it to crash.In the subsequent aftermath, a backup file containing emails between ACS Law'semployees and other parties appeared on the web site, which allowed anyone to accessaround 6,000 people’s sensitive personal information. These emails includedcredit card details as well as references to people’s sex life, health and financialcircumstances.

The Information Commissioner, Christopher Graham, has made it very clear that hadACS Law still been trading then the fine could have been as much as£200,000:"Were it not for the fact that ACS Law has ceased trading so that Mr Crossleynow has limited means, a monetary penalty of£200,000 would have been imposed,given the severity of the breach".

I feel this fine is important because it shows that the ICO is prepared to fine SMEorganisations large amounts and is also prepared to pursue their owners in cases ofserious breach where the owner is a sole trader.

The Information Commissioner stated that:"The security measures ACS Law hadin place were barely fit for purpose in a person's home environment, let alone a businesshandling such sensitive details". I am often shocked about how poor securityis at SME organisations. Many SME business leaders do not listen to advice about securitymatters. I am also afraid to say that many IT suppliers also do not care aboutsecurity, preferring to close a sale at any cost. They often fail to make theircustomers aware of the risks they face, taking a view that it is the customer’sproblem if they don't recognise or understand the issues at stake.

Worse still, many SME firms run their IT systems on a shoestring, avoiding professionaladvice wherever possible, and only bring in competent support when things really becomedire.

It is clear that Mr Graham takes a rather dim view of this approach to managing a company'sIT infrastructure. He makes it clear that"Mr Crossley did not seek professionaladvice when setting up and developing the IT system which did not include basic elementssuch as a firewall and access control. In addition ACS Law's web-hosting packagewas only intended for domestic use. Mr Crossley had received no assurances from theweb-host that information would be kept secure." The Information Commissionerclearly believes that if you are going to use IT systems then you should do it properlyand not on a shoestring.

If anything, this fine also highlights the importance of taking proper advice andmay presage a greater use of Chartered IT Professionals.

The message must be that if you use IT in your business (whatever your firm's size),you must take proper advice, you must not try to cut corners and you must not treatIT security in a cavalier fashion.

I was interested in what Sir Christopher Meyer (HM Ambassador to the United Statesbetween 1997 and 2003) had to say about WikiLeaks on BBC Question Time last night.

I understand from what he was saying that the United States created a massive‘intranet’ to share intelligence from around the world between their agenciesas part of their response to 11th September 2001 attacks. They wanted a clearer pictureof the emerging threats to the United States.

He suggests that over two and half million people have access to this‘intranet’and implies that leaks were inevitable.

I feel that there is an important lesson here for any government or commercial enterprisethat tries to build massive databases. The more people who have access, the more likelythere is to be a leak.

I find it worrying that theInformationCommissioner’s Office(ICO) reports that the NHS is the United Kingdom’sworst offender in terms of keeping personal data, especially in light of the PatientSummary Care Record scheme, which will eventually hold details from most people’smedical records.

The question for me is simple: Can they be trusted to look after computerised medicalrecords?

According to a spreadsheet accompanying the ICO’s press release of 28th May2010, the NHS has reported more breaches than any other body to date. The data showsthat these losses have largely been through either lost or stolen data/hardware ratherthan insecure disposal or accidental disclosure.

I agree absolutely with David Smith, the Deputy Commissioner, who said:“TheICO maintains it is essential that the protection of people’s personal informationis part of organisations’ culture and DNA.”

However, the issue of data protection is clearly wider in scope than our trust inthe NHS’ ability to keep our data secure.

The press release actually marks the 1,000th breach reported to the ICO, with theactual number now standing at 1,007. A rough calculation suggests that between one-in-twoand one-in-three people in the United Kingdom have had their personal data compromised.

The ICO have said that although more personal data has been lost by the NHS, the largestever breach reported was thelossof 25M people’s personal data by HMRCon two CDs in November 2007.

However, the data shows that the second largest offender collectively is the privatesector, which doesn’t surprise me. Worse still, I suspect that most privatesector breaches probably go unreported, so this figure might be the tip of the iceberg.

The ICO is keen to remind organisations that it can now levy fines of up to£500,000per breach.

If you would like to know more about the new powers the Information Commissioner acquiredin April 2010 and what the outcome might be should you be reckless with personal datathen you might like to readmyrecent blog on data protection!