Encryption Factor: Losing customer data costs Sun Alliance £150,000
TSE listed insurer, the Royal & Sun Alliance (“R&SA”) has been fined £150,000 by the ICO after losing personal data relating to 60,000 of its customers. The loss occurred as a result of the insurer having a hard drive stolen.
The fine was issued under Section 55A of the Data Protection Act 1998, a provision that permits the ICO to impose penalties of up to £500,000.
In this case, the fine was deemed to be appropriate; R&SA’s actions were a serious infringement of the seventh data principle, which, which requires measures to be taken against accidental loss or destruction of, or damage to, personal data.
An ICO investigation looked at the theft of a hard drive device containing 59,592 customers’ names, addresses and bank account details including account numbers and sort codes. The device also held limited credit card details of 20,000 customers, although CVC numbers and expiry dates were not affected.
ICO enforcement officers found that R&SA did not have the appropriate measures in place to protect financial information by preventing the theft at its offices in West Sussex from happening. The device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered.
The ICO were quick to point out that the liability could have been avoided through simple steps to keep the companies’ information safe including through encryption on the machines concerned, making sure the device was secure and monitoring the equipment routinely.
News & Insights
Bad AGMs (and how to avoid them)
AGMs mostly pass without incident, but what if you are managing shareholder concerns, an unexpected proposal or a surprise result on a vote?
Focus Antitrust - 12 December 2018
The latest edition of our regular Focus Antitrust update.
Charles Russell Speechlys advises Civica on acquisition of Trac Systems
The Corporate team has advised longstanding client, Civica Group, on its latest acquisition Trac Systems and its subsidiary Zedcore Systems.