ACS:Law acted for content producers taking action against alleged copyright infringers and kept information on its systems about people and the material, including pornography, they were accused of copying or sharing.
The law firm was the subject last week of a denial of service attack, in which automated attempts to access a website makes its server fail and effectively takes the site offline. It has been reported that in the process of the website coming back online a backup database of emails was made public.
Those emails reportedly expose the names and other personal details of individuals accused of illegally copying pornographic material. The number of individuals is reported to be higher than 10,000.
Information Commissioner Christopher Graham told the BBC that it would investigate the matter, and hinted that the case could provide a first chance to use the extra powers the Commissioner was recently granted.
"The question we will be asking is how secure was this information and how it was so easily accessed from outside," Graham told BBC News. "We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing."
"The Information Commissioner has significant power to take action and I can levy fine of up to half a million pounds on companies that flout the Data Protection Act," he said. "I can't put [ACS Law] out of business, but ... a company that is hit by a fine of half a million pounds suffers real reputational damage."
The Data Protection Act requires that companies which gather and store personal data protect it effectively and ensure it remains private. Extra protection is offered in the law for data which is sensitive, a description which might be applied to the details of pornography usage which have been made public.
"Any organisation processing personal data must ensure that it is kept safe and secure," said a statement from the Information Commissioner's Office (ICO). "This is an important principle of the Act. The ICO will be contacting ACS:Law to establish further facts of the case and to identify what action, if any, needs to be taken.”
ACS:Law acted on behalf of content companies, writing to people that automated systems identified as having uploaded or downloaded material without copyright holders' permission. ACS:Law wrote to alleged infringers to demand settlement payments.
The controversial conduct, which resulted in a recent referral of the firm to the disciplinary tribunal of the Solicitors Regulation Authority (SRA), has been condemned by consumer groups and some internet service providers (ISPs).
Consumer body Which? complained about ACS:Law to the SRA, and has said that its behaviour was "aggressive and bullying" and that the recipients of letters had been treated "appallingly".
BSkyB has said that its ISP business will no longer provide ACS:Law with the information it needs to connect internet protocol addresses used for alleged infringements to actual users until the firm "demonstrates adequate measures to protect the security of personal information".
ISP TalkTalk said that none of its customers are involved in the data breach because it had refused to comply with ACS:Law's requests for that information.
"TalkTalk has never given any customer details to ACS Law or any other law firm ... so our customers will not be affected by this breach," said TalkTalk's head of strategy and regulation Andrew Heaney in a blog post. "While we do not condone illegal filesharing, we have consistently argued for better ways of combating copyright theft. Handing over customer details to law firms to seek ‘compensation’, based on accusations from rightsholders, is not the answer."
The denial of service attack which initially took the website offline was reportedly co-ordinated by users of the discussion forum 4Chan and a group called Anonymous. Called Operation Payback, the activity has targeted other groups involved in taking action against alleged copyright infringers, such as the Motion Picture Association of America, the Recording Industry Association of America.
