The Information Commissioner’s Office (ICO) has fined two organizations for serious breaches of the Data Protection Act – the first to be issued under new tougher guidelines in the UK.
The security breach at Sheffield-based firm A4e happened in June 2010, after the company issued an unencrypted laptop to an employee in order to do work from home. The laptop was subsequently stolen from the employee’s house.
That wouldn’t have mattered too much, of course, if the laptop hadn’t contained sensitive information. Unfortunately it carried personal data relating to 24,000 people who had used community legal advice centers in Hull and Leicester.
Personal details recorded on the laptop included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
It is understood that an unsuccessful attempt was made to access the data on the hard drive shortly after the computer was stolen. Quite rightly, A4e reported the incident to the ICO, and subsequently notified the people whose data could have been accessed.
The ICO have now fined A4e a total of £60,000, saying that the data loss could have caused individuals “substantial distress”, and admonished them for not putting encryption in place despite knowing the amount and type of sensitive data being held on the laptop.
And that’s the point, of course. The entire problem and the subsequent fine was entirely avoidable – if the laptop had been properly encrypted, as Information Commissioner Christopher Graham noted:
“Thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data”.
In a separate incident, Hertfordshire County Council has also been fined £100,000 by the ICO after it faxed details of a child sex abuse case to a member of the public.
Both Herefordshire County Council and A4e have apologized for the serious security breaches.
The ICO was granted new powers by the British government earlier this year allowing it to fine companies up to £500,000 for breaches of the Data Protection Act.
More information about the ICO’s powers can be found on the ICO’s website, where it has published more information on the Data Protection Act.
You can read more opinion on this case from Graeme Stewart, who blogs about security in the public sector for Sophos.
Clearly more organizations need to wake up to the danger of data loss – storing sensitive information on an unencrypted laptop is a time bomb waiting to happen. Not only could you put your customers, staff and partners at risk – you could also be putting your company at risk of a substantial fine.