Marks & Spencer (M&S) has been found to be in breach of data protection laws, following the theft of an unencrypted laptop containing the personal details of 26,000 employees.
An investigation by the Information Commissioner’s Office (ICO) revealed that the laptop, which contained M&S employees’ pension details, was stolen from the home of an M&S contractor.
The ICO has since issued M&S with an enforcement notice, which orders the organisation to ensure all laptop hard drives are fully encrypted by this April. Failure to comply with this order is a criminal offence, the ICO warned.
“It is essential that before a company allows personal information to leave its premises on a laptop, there are adequate security procedures in place to protect personal information, for example, password protection and encryption,” said Mick Gorrill, assistant commissioner at the ICO.
“Organisations which process personal information must ensure that information is secure – this is an important principle of the act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers.”
One Response
Whoops!
When are companies and individuals going to learn?
Almost every week we hear of data being lost.
Some simple principles or rules to consider:
Rule# 1 – sack any member of staff leaving a laptop in their car – this is gross negligence
Rule#2 – set up a secure VPN and do not allow data to be downloads in any form
Rule #3 – only allow people to access data from a work location and enforce a maximum working hours policy!
It is time for HR & IT/IS teams to work together on this one. And if you have one your Risk Assessment team. For a publicly listed company this can damage your share price and lose value in the organisation.
Time for company directors to face up to their responsibilities!
Mike