Encryption Factor: Losing customer data costs Sun Alliance £150,000
TSE listed insurer, the Royal & Sun Alliance (“R&SA”) has been fined £150,000 by the ICO after losing personal data relating to 60,000 of its customers. The loss occurred as a result of the insurer having a hard drive stolen.
The fine was issued under Section 55A of the Data Protection Act 1998, a provision that permits the ICO to impose penalties of up to £500,000.
In this case, the fine was deemed to be appropriate; R&SA’s actions were a serious infringement of the seventh data principle, which, which requires measures to be taken against accidental loss or destruction of, or damage to, personal data.
An ICO investigation looked at the theft of a hard drive device containing 59,592 customers’ names, addresses and bank account details including account numbers and sort codes. The device also held limited credit card details of 20,000 customers, although CVC numbers and expiry dates were not affected.
ICO enforcement officers found that R&SA did not have the appropriate measures in place to protect financial information by preventing the theft at its offices in West Sussex from happening. The device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered.
The ICO were quick to point out that the liability could have been avoided through simple steps to keep the companies’ information safe including through encryption on the machines concerned, making sure the device was secure and monitoring the equipment routinely.
News & Insights
ECM and Brexit: business as usual?
We consider how ECM could be affected by the UK's impending departure from the EU
Clarification on Outsourcing Guidance for using Cloud in the Financial Services Sector – which rules apply?
Important announcements by the FCA and the EBA clarifying guidance on outsourcing to the cloud and third party IT Services.
KO for illegal streaming servers – the continuing fight against copyright infringement
A High Court case shows that sports rights holders are keen to protect the revenues that can be generated from ownership of such rights.