WIREDGOV

A The Information Commissioner’s Office (ICO) has warned small businesses that they must make sure they have adequate measures in place to keep customers’ details secure, after a sole trader was fined £5,000.

Jala Transport Ltd, a Wembley-based loans company, received the penalty after the loss of a hard drive containing financial details relating to all of the sole proprietor’s approximately 250 customers.

The hard drive was lost after it was stolen from the business owner’s car while it was stationary at a set of traffic lights in London on 3 August 2012. The external hard drive was in a case with some documents and £3,600 in cash. The hard drive was password protected, but crucially not encrypted, and included details of the customers’ name, date of birth, address, the identity documents used to support the loan application and details of the payments made.

The ICO expects all information to be encrypted where the loss of the data could lead to those affected suffering damage and distress. The initial incident would have resulted in a penalty of £70,000 being imposed, but the limited financial resources of the company resulted in the penalty being lowered to £5,000. The ICO also considered that the data breach was voluntarily reported.

ICO Head of Enforcement, Stephen Eckersley, said:

“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected.

“While the circumstances of this case are unfortunate, if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act.

“The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure.”

The ICO’s Group Manager for Technology, Simon Rice, has published a blog explaining the importance of encryption and the options available to organisations that need to encrypt their data.

In the blog Simon Rice explains that:

“Encryption software uses a complex series of mathematical algorithms to protect and encrypt information. This hides the underlying data and prevents any inadvertent access to, or unauthorised disclosure of, the information. This means that even if a device containing personal information is lost or stolen, the information will remain secure as long as the would-be data thief isn’t able to access the encryption key required to crack the algorithm.

“Appropriate encryption products are widely available, but it is important that organisations understand the type of protection a particular encryption product offers and the circumstances under which personal data will be protected from unauthorised or unlawful access.”

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure 
• Not transferred to other countries without adequate protection

6. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

7. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).