Encryption Factor: Losing customer data costs Sun Alliance £150,000

TSE listed insurer, the Royal & Sun Alliance (“R&SA”) has been fined £150,000 by the ICO after losing personal data relating to 60,000 of its customers.  The loss occurred as a result of the insurer having a hard drive stolen. 

The fine was issued under Section 55A of the Data Protection Act 1998, a provision that permits the ICO to impose penalties of up to £500,000. 

In this case, the fine was deemed to be appropriate; R&SA’s actions were a serious infringement of the seventh data principle, which, which requires measures to be taken against accidental loss or destruction of, or damage to, personal data. 

An ICO investigation looked at the theft of a hard drive device containing 59,592 customers’ names, addresses and bank account details including account numbers and sort codes.  The device also held limited credit card details of 20,000 customers, although CVC numbers and expiry dates were not affected.

ICO enforcement officers found that R&SA did not have the appropriate measures in place to protect financial information by preventing the theft at its offices in West Sussex from happening.  The device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered.

The ICO were quick to point out that the liability could have been avoided through simple steps to keep the companies’ information safe including through encryption on the machines concerned, making sure the device was secure and monitoring the equipment routinely.