The personal details of more than 600 people were lost by E*Trade Securities almost two years ago.
According to the Information Commissioner's Office (ICO), the company discovered that a large number of customer files were missing in April 2010, when archived documents held in a storage facility in the UK were asked to be retrieved.
The files contained the personal data of 608 people, and they remain missing. Most of the files included identification documents, proof of address and account application forms. The company informed the ICO about the breach in December 2010 after all attempts to find the information had failed. Initial inquiries found that E*Trade Securities did not have a formal agreement in place with the contractor responsible for securely storing its client data.
Steve Eckersley, head of enforcement at the ICO, said: “This breach was caused by the company failing to have the necessary security measures in place to keep their clients' information secure.
“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses licence to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”
The details of this follow yesterday's news that a laptop containing personal and medical information of up to 1,500 people was stolen from a podiatry clinic in Hampshire. The laptop contained unencrypted data and was taken from the Walking On Air clinic in Gosport on Tuesday; according to BBC News, podiatrist Natasha Townsend said the laptop did have a password.
Townsend said: "It's got personal information on it, but mostly all my medical patient notes which I need. I didn't really know much about encryption and things like that. I'm not very good with computers.”
ICO spokeswoman Dawn Monaghan said: “We always investigate breaches that are brought to [our attention]. Medical records in the terms of the Data Protection Act are considered to be sensitive personal data, and over the past 18 months, about 40 of the investigations we have looked into have related to mobile devices that have been lost.”
Chris McIntosh, CEO of Viasat UK, said: “The facts of this theft show that the message is still not getting through on data protection: in particular, we cannot rely on individuals knowing how to deal with sensitive data.
“While it appears that Ms Townsend was genuinely unaware of the need for encryption, the industry needs to do more to meet their obligations to securely handle patient information. Perhaps the ICO might have a role to play in helping organisations within industries such as these where further education is obviously needed.
“There are already rules in place within the medical profession concerning confidential patient information, and data protection policies should be perceived as equally important to ensure this information is safeguarded.”