Royal London Mutual Insurance Society has breached the Data Protection Act after eight laptops were stolen from the company’s Edinburgh offices.
Two of the laptops contained the personal details of 2,135 people. This information was password protected but unencrypted. The company admitted that it did not know the precise location of the laptops at any given time and that managers were unaware that personal information was stored on any of the laptops. Given this lack of care, it was hardly surprising that the company was also found to employ insufficient physical precautions to secure the data.
Company group chief executive Michael Yardley has signed an official undertaking from the Information Commissioner’s Office (ICO) to encrypt portable devices, including laptops to fit appropriate physical security measures to prevent future security breaches.
Chris McIntosh, CEO of Stonewood, said such poor care of company data was unacceptable behaviour for organisations such as insurance firms that are trusted with sensitive personal data.
Once again the ICO has pressured an organisation into taking remedial steps to prevent such a data loss happening again. And once again, the details of the case show that organisations simply aren’t taking the threat of the loss or theft of data seriously enough. Too many organisations take an it only happens to other people approach, assuming these breaches won’t affect them, until they inevitably do,” said McIntosh.