The Information Commissioner's Office (ICO) has reported that the Royal London Mutual Insurance Society lost eight laptops and the personal details of 2,135 people.
It has declared that the insurance provider breached the Data Protection Act when the laptops were stolen from the company's Edinburgh offices. Two of the laptops contained the information, and the individuals affected were employees of various firms that had sought pension scheme illustrations.
The ICO reported that the two laptops were unencrypted, but were password protected. An internal report established that the company was uncertain about the precise location of the laptops at any given time and that physical security measures were inadequate.
The report also revealed that managers were not aware that personal information was stored on any of the laptops, which meant no additional precautions to control and secure the data had been taken.
Michael Yardley, group chief executive officer of the Royal London Mutual Insurance Society, has now signed an official undertaking to ensure that portable and mobile devices including laptops are encrypted.
Mick Gorrill, head of enforcement at the ICO, said: “It is particularly concerning that the organisation was unaware of the whereabouts of the laptops at any given time or what information they held. All staff members should be fully aware of the policies and procedures in place to safeguard personal information and should be appropriately trained.”
Chris McIntosh, CEO of Stonewood, said: “Once again the ICO has pressured an organisation into taking remedial steps to prevent such a data loss happening again, and once again, the details of the case show that organisations simply are not taking the threat of the loss or theft of data seriously enough.
“Too many organisations take an ‘it only happens to other people' approach, assuming these breaches will not affect them, until they inevitably do. For organisations such as insurance companies, trusted with the sensitive personal data of not just their employees but also a multitude of customers, this is quite frankly unacceptable.
“Royal London seems to have scored a hat trick of errors in this incident: the lack of knowledge of machines' contents; the lack of insight into laptops' locations; and the lack of encryption on machines has all combined to make this loss much more serious than it need have been.
“Keeping track of the contents and location of company property should be a simple administrative matter, and effective, tamper-proof encryption on laptops and memory storage is now more than affordable. Organisations need to start paying attention, take more care to protect, track and encrypt their data, and aim to prevent the ICO making any more announcements such as this one.”