To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/financialservices/0,3800010322,39170125,00.htm

Laptop theft breaks data protection law
But financial firm faced no punishment

By Tim Ferguson

Published: Thursday 21 February 2008

Skipton Financial Services (SFS) has been found to have been in breach of the Data Protection Act by the Information Commissioner's Office (ICO) - but has escaped without any punishment.

The financial advisor company suffered the theft of an unencrypted laptop containing the personal details of 14,000 of its customers last December.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The laptop was stolen from Moore Stephens Consulting Ltd - a company processing data for SFS - and contained customer names, dates of birth, national insurance numbers and investment amounts.

The ICO said SFS should have taken steps to encrypt the information on the laptop in order to keep it secure - but did not impose any fine on the company.

This contrasts sharply with punishment meted out to the Nationwide Building Society, which was fined £980,000 by the Financial Services Authority last year, over the theft of a company laptop containing confidential customer details from an employee's home.

Assistant Commissioner Mick Gorrill said although it isn't always possible to prevent the theft of mobile devices, it is possible to minimise the damage done.

He warned that companies must take adequate measures to safeguard data on mobile devices before they leave company premises by using password protection and encryption and said those who fail to do so risk losing the trust and confidence of both employees and customers.

SFS has signed an undertaking to secure personal data in the future and has said it will carry out risk assessments where third parties are processing data for SFS.

In a statement, Simon Holt, MD of SFS, said the swift actions taken following the theft and the company's explanation were accepted by the ICO.

He said there has been "no evidence whatsoever" to suggest the customer data on the lost laptop has been misused by a third party.