An insurance company has been found in breach of the Data Protection Act after laptops containing 2,000 customers’ details went missing from its offices.
London Mutual Insurance Society was criticised by the Information Commissioner’s Office (ICO) for failing to take adequate precautions to safeguard customer data after eight laptops in total went missing from the company’s Edinburgh offices – two of which held customer data.
The company has not clarified if the machines were stolen or lost and covered both bases in an undertaking to the ICO signed by the company’s chief executive Michael Yardley. “The Information Commissioner (the “Commissioner”) was provided with a report of the theft or loss of eight laptops from the Edinburgh offices of the data controller, which occurred sometime between 15 April and 15 June 2009,” the undertaking stated.
The undertaking also revealed that the two machines containing the customer data were password protected but not encrypted. “They contained a significant amount of personal data relating to 2,135 individuals,” the undertaking stated. “These individuals were employees of various firms which had sought pension scheme illustrations from the data controller via independent financial advisers.”
According to the ICO, the company did not appear to know where the machines were at any one time or what data they actually contained. “It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held,” said Mick Gorrill, head of enforcement at the ICO. “All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained.”
In January the ICO warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their own volition. The ICO said that more than 800 data security breaches have been reported over the last two years. The ICO warns that companies that approach it voluntarily will still face some action, but those businesses which attempt to cover-up security incidents will be hit with much tougher penalties.
The Conservative Party’s plans to increase privacy and reduce the amount of government data will involve a big increase in the powers of the Information Commissioner, a London meeting heard recently. “Our personal data belongs to us, and the government holds it on trust,” said Eleanor Laing, MP, the shadow Minister for Justice, speaking at a Westminster Legal Policy Forum meeting in London.
In February a mortgage company was found in breach of the Data Protection Act after accidentally emailing details of more than 15,000 customer accounts to the wrong address.
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…
View Comments
It is not uncommon for organizations to report lost or stolen laptop computers that contain sensitive information. Laptops are not the place to store critical information. Responsible company security policies should dictate that sensitive information, whether it be Social Security numbers, credit card numbers or proprietary company information – should be stored in controlled database environment. If this data is stored and protected in the database, database activity monitoring and controls can be implemented to deliver alerts if employees download critical information onto a laptop computer in violation of corporate policy.
Thom VanHorn, Vice President of Global Marketing, Application Security, Inc.