Who: Information Commissioner’s Office
Where: UK
When: January 2016
Law stated as at: 10 January 2016
What happened:
The Information Commissioner’s Office (ICO) has fined insurance company, Royal & Sun Alliance plc (“RSA”), £150,000 for failing to take appropriate technical and organisation measures against the unauthorised or unlawful processing of personal data. The failure related to the theft of a portable ‘Network Attached Storage’ device which was stolen from an employee of RSA between 18 May and 30 July 2015.
A penal notice issued by the ICO indicated that the stolen device contained the names, addresses, bank account and sort code numbers for almost 60,000 customers and the names, addresses and credit card number of 20,000 customers. The breach was compounded by RSA’s failure to implement additional measures relating to the security of the information including, for example, encryption. As at the date the fine was issued, the device was yet to be recovered.
An RSA spokesperson has since apologised to the customers affected by the breach. The insurance company spokesperson confirmed that “…there remains no evidence to suggest that the stolen storage device has resulted in any economic loss for the customers involved”. The company also confirmed that it has “…reviewed and reinforced our data protection procedures to mitigate the risk of this happening again”.
Why this matters:
The ICO’s Head of Enforcement, Steve Eckersley, stated “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment”. Companies must ensure adequate precautions are taken to protect customer information, particularly where financial information is concerned.
In its penalty notice issued to RSA, the ICO outlined a number of steps it considered necessary in the circumstances including: encryption; physically securing devices capable of being taken offline; routinely monitoring whether such a device has been taken offline and, if so, a suitable escalation procedure; installing CCTV in appropriate access points; restricting access to essential staff, and only when accompanied; and utilising and monitoring access logs.
Appropriate measures should take into account the amount of data held, the nature of the personal data and the potential consequences of any breach.