17Jan

Data protection watchdog the Information Commissioner’s Office (ICO) has imposed a £150,000 fine on leading insurer Royal & Sun Alliance plc (RSA) after the theft of the personal details of around 60,000 customers.

The fine will be reduced to £120,000 if paid in full by February 7 2017.

Sometime between May 18 and July 30 2015, a hard drive device was stolen by an RSA employee or contractor. This contained personal details of 59,592 of the firm’s customers. Data stolen included names, addresses and bank account details; and for around 20,000 of those affected, some of their credit card details were also stolen, although no expiry dates or card security codes were stolen.

The stolen hard drive has still not been recovered.

The ICO has punished RSA by imposing this fine as the firm failed to take adequate measures to protect against data theft – for example in this case the stolen data was password protected but had not been encrypted.

The data protection regulator also makes the following criticisms of RSA:

• The device had not been physically secured in the data storage room (DSR)
• RSA failed to detect the theft of the device
• There was no CCTV in the DSR – as a large firm with significant resources it might be expected that the firm would have had this in place
• RSA allowed non-essential staff and contractors to visit the DSR, and to do so unaccompanied. It also failed to monitor which persons were entering the DSR

In mitigation, the ICO acknowledges that:

• There is no evidence that the stolen data has been used for fraudulent purposes
• All affected customers were offered free CIFAS protection for two years
• The firm has taken independent professional advice to improve its data security arrangements
• No RSA customer has suffered a financial loss from the theft

Any firm, large or small, must comply with the Data Protection Act, which sets out eight basic principles for handling of personal data. One of these is to make sure that personal information is secure.

Steve Eckersley, ICO Head of Enforcement said:

“Customers put their trust in companies to keep their information safe, particularly financial information.

“When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.

“There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

An RSA spokesperson said:

“The ICO fined us for not foreseeing the risk that the theft of a storage device could cause and for not protecting it adequately.

“RSA serves nine million customers in over 100 countries and we take a breach of our security and protocols very seriously.

“Whilst there remains no evidence to suggest that the stolen storage device has resulted in any economic loss for the customers involved, we recognise that this should have never have happened and we would like to say sorry once again to those of our customers and partners who were impacted.

“We have reviewed and reinforced our data protection procedures to mitigate the risk of this happening again – the substantive work that has been undertaken since then to improve data protection in our company has been acknowledged by the ICO.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article