Insurance Company Loses Customer Data

Eight laptops have been stolen or lost from the London Mutual Insurance Society, containing details of more than 2,000 customers

An insurance company has been found in breach of the Data Protection Act after laptops containing 2,000 customers’ details went missing from its offices.

London Mutual Insurance Society was criticised by the Information Commissioner’s Office (ICO) for failing to take adequate precautions to safeguard customer data after eight laptops in total went missing from the company’s Edinburgh offices – two of which held customer data.

The company has not clarified if the machines were stolen or lost and covered both bases in an undertaking to the ICO signed by the company’s chief executive Michael Yardley. “The Information Commissioner (the “Commissioner”) was provided with a report of the theft or loss of eight laptops from the Edinburgh offices of the data controller, which occurred sometime between 15 April and 15 June 2009,” the undertaking stated.

Customer details unencrypted

The undertaking also revealed that the two machines containing the customer data were password protected but not encrypted. “They contained a significant amount of personal data relating to 2,135 individuals,” the undertaking stated. “These individuals were employees of various firms which had sought pension scheme illustrations from the data controller via independent financial advisers.”

According to the ICO, the company did not appear to know where the machines were at any one time or what data they actually contained. “It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held,” said Mick Gorrill, head of enforcement at the ICO. “All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained.”

In January the ICO warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their own volition.  The ICO said that more than 800 data security breaches have been reported over the last two years. The ICO warns that companies that approach it voluntarily will still face some action, but those businesses which attempt to cover-up security incidents will be hit with much tougher penalties.

The Conservative Party’s plans to increase privacy and reduce the amount of government data will involve a big increase in the powers of the Information Commissioner, a London meeting heard recently. “Our personal data belongs to us, and the government holds it on trust,” said Eleanor Laing, MP, the shadow Minister for Justice, speaking at a Westminster Legal Policy Forum meeting in London.

In February a mortgage company was found in breach of the Data Protection Act after accidentally emailing details of more than 15,000 customer accounts to the wrong address.