ICO Fines Company £150k Following Theft of Portable Hard Drive

The UK’s Information Commissioner’s Office has recently imposed a fine of £150,000 against a company after a portable hard drive containing personal information of 59,592 customers was stolen by a member of staff who was permitted access to the company’s server room.

The portable hard drive contained customer names, addresses, bank account, sort code numbers and credit card information. Despite the ICO having no proof that the personal information had been accessed or misused by third parties, the ICO noted that the customers affected would be justifiably distressed that it may be accessed or misused in the future. 

Compounding the contravention, the company in question, Royal & Sun Alliance Insurance PLC (“RSA”), did not encrypt the data prior to loading them on the device. In addition, the ICO stated:

1) RSA failed to physically secure the device in the server room;
2) RSA failed to routinely monitor whether the device was still online and (if not) raise the alarm;
3) RSA did not have CCTV installed inside the server room;
4) RSA failed to restrict access to the server room to essential staff and contractors;
5) RSA permitted its staff and contractors to access the server room unaccompanied; and
6) RSA failed to monitor access to the server room.

Ultimately, RSA had failed to take appropriate technical and organisational measures to safeguard against unauthorised or unlawful access to the personal information. 

Importantly, the ICO stated that the breach by RSA was not deliberate, but the ICO was satisfied that the contraventions identified above were serious due to the number of individuals affected, the nature of the personal information stolen and the potential consequences.

This decision highlights the need for businesses to be aware of all data points within their organisation and consider the risks that those data points pose to the individuals whose data are being processed in order for the business to put in place appropriate technical and organisational measures to safeguard that data such as encrypting data and restricting or recording access to data heavy areas.

How can we help? 

We provide expert advice to businesses and other organisations on data protection matters and commercial law.  If you have concerns about data protection legislation or the ways in which your organisation uses data, contact the experienced commercial solicitors at Herrington Carmichael for specialist advice.   
Please contact Matthew Lea on 01276 686222

This publication reflects the law at the date of publication and is written as a general guide only – it is not intended to contain definitive legal advice, which should be sought as appropriate in relation to a particular matter.