Encryption Factor: Losing customer data costs Sun Alliance £150,000
TSE listed insurer, the Royal & Sun Alliance (“R&SA”) has been fined £150,000 by the ICO after losing personal data relating to 60,000 of its customers. The loss occurred as a result of the insurer having a hard drive stolen.
The fine was issued under Section 55A of the Data Protection Act 1998, a provision that permits the ICO to impose penalties of up to £500,000.
In this case, the fine was deemed to be appropriate; R&SA’s actions were a serious infringement of the seventh data principle, which, which requires measures to be taken against accidental loss or destruction of, or damage to, personal data.
An ICO investigation looked at the theft of a hard drive device containing 59,592 customers’ names, addresses and bank account details including account numbers and sort codes. The device also held limited credit card details of 20,000 customers, although CVC numbers and expiry dates were not affected.
ICO enforcement officers found that R&SA did not have the appropriate measures in place to protect financial information by preventing the theft at its offices in West Sussex from happening. The device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered.
The ICO were quick to point out that the liability could have been avoided through simple steps to keep the companies’ information safe including through encryption on the machines concerned, making sure the device was secure and monitoring the equipment routinely.
News & Insights
RealDeals Private Equity Awards 2019: Private Equity team shortlisted
The Private Equity team are delighted to have been shortlisted again for the Regional/Specialist Legal Adviser of the Year Advisory Award.
No-Deal Brexit – Implications for Broadcasters
The government recently published the Broadcasting Regulations 2019, which will come into force in the event of a no-deal Brexit.