Feb 012011
 February 1, 2011  Posted by  Breaches, Non-U.S.

Josh Halliday reports:

Privacy groups have attacked the Information Commissioner’s Office (ICO) for dropping its investigation into BT, which in September emailed details about more than 500 of its customers to a law firm.

The ICO told the Guardian that BT cannot be held responsible for the action, in which a spreadsheet with confidential information including names, addresses and telephone numbers was sent in plain text by one of BT’s staff to the solicitors’ firm ACS:Law in connection with allegations of online copyright infringement. The spreadsheet, which by BT’s own rules should have been encrypted, later leaked onto the web when ACS:Law’s site came under attack from online activists.


The ICO closed its investigation into the apparent data breach earlier this month after ruling that BT was not liable for the mistake, which it said was committed by one of its employees.

BT became embroiled in a wider row over data privacy late last year when the confidential details of thousands of UK internet users – including Sky, TalkTalk and BT Plusnet customers – leaked online in the aftermath of the attack on ACS:Law’s website. The ICO is presently investigating that leak separately from the BT breach, and could levy a £500,000 fine on any guilty party.

Read more in the Guardian.

Since when isn’t a company liable for a breach just because one of its employees may have violated its policies? I’m with Privacy International and Big Brother Watch on this one, although given how the ICO typically only has entities sign “undertakings,” I don’t know that I would have expected the ICO to do much more than that with respect to the failure to encrypt part of the incident.

Update: Alexander Hanff of Privacy International has blogged about the ICO’s decision and his concerns about it on his blog.

Update 2: V3.co.uk covers the controversy and includes some quotes from the ICO and Stewart Room that provide another perspective on the issue of whether – or when – the ICO should pursue action against an entity whose employee has not adhered to policies or who has engaged in criminal activity.

Sorry, the comment form is closed at this time.