Royal & Sun Alliance (RSA) PLC has felt the heavy hand of the Information Commissioner's Office (ICO) which has fined it £150,000 after a device containing the details of nearly 60,000 customers was stolen.
RSA has been found in breach of the Data Protection Act, the regulation which governs and protects personal data held by organisations. Between mid May and the end of July 2015, a ‘network attached storage' device was stolen by someone with access to the RSA's data server room in Horsham.
According to the ICO, 40 individuals, including contractors, were allowed access to the room without supervision. Whether or not the thief has been caught is not yet known by this publication but the device is still at large.
The device contained the names, addresses, bank account and sort codes of 59,592 customers as well as 20,000 credit card ‘primary account numbers'. While the device was apparently password protected, it was unencrypted according to the penalty notice.
The ICO cited the RSA for a great number of mistakes. Aside from not encrypting the data before loading it onto the device, the company did not monitor whether the device was online. The penalty notice outlines that access to the room in which the device was held was not monitored, even by CCTV, and employees were allowed to access the room without supervision.
Considering the number of individuals affected, the nature of the information stolen and RSA's failure to properly protect that data, the ICO found a serious contravention of the seventh data protection principle, which governs security breaches: “The contravention was of a kind likely to cause substantial damage or substantial distress. RSA knew or ought to have envisaged those risks and it did not take reasonable steps to prevent the contravention.”
While the maximum possible fine could have been £500,000, the ICO found mitigating features to reduce that sum to £150,000. The company notified its customers and offered up to two years of anti-fraud protection as well as “substantial remedial action”.
Furthermore, the stolen data is not known to have been “further disseminated or accessed by third parties, and has not been used for fraudulent purposes”.
While RSA failed to protect the device, Dr Bernard Parsons, co-founder and CEO of Becrypt, told SC Media UK that the company “should be commended on their use of passwords and building security to protect the data – as well as having systems in place to identify the information stolen, as many organisations still lack an effective central management system. However, this will not be of much comfort to the almost 60,000 customers dealing with the stress of their confidential information potentially falling into the hands of criminals.”
If the company had encrypted the data on the device, the story might be different, added Parsons: “These kinds of data loss incidents can be prevented if all potentially sensitive and valuable information stored on portable storage devices is encrypted against unauthorised access by default. This means that, even if the worst happens and a device is stolen by an insider, the organisation can be confident that the data it contains will be safe from abuse.”
The ICO has taken a far more proactive approach in dealing with those who fail to protect customer data of late. Most notable in that trend was perhaps the decision to fine TalkTalk, famously breached in 2015, a total of £400,000.
In that case, Information Commissioner Elizabeth Denham was unforgiving: “TalkTalk's failure to implement the most basic cyber-security measures allowed hackers to penetrate systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
Amid a backdrop of growing cognisance of privacy and protection of private data, the ICO has started to crack the whip
These fines, while significant, pale in comparison to the potential sums payable under incoming European regulation. Under the General Data Protection Regulation, firms will be subject to fines of up to four percent of global turnover.
ICO fines by comparison won't put much of a dent in large companies like RSA, which according to the company's 2015 annual report, had a revenue of £6.6 billion.
Mark James, IT security specialist at ESET, told SC that the fines should be taken in context: “Fines by the ICO for security breaches have been a matter for discussion for some time. For most, they seem fairly small and if we think about the actual monetary value they are, the fine itself may seem fairly insignificant but that of course is not the whole story. The PR exposure, your customer hearing about your failings and of course the damage done through the act in the first place, all has a cost.”