The Information Commissioner’s Office (ICO) has served Verity Trustees with a Formal Undertaking after it emerged that a laptop containing personal details of more than 100,000 individuals was stolen.
The total number of people affected by the theft is believed to be in the region of 110,000. However, 18,000 of these individuals have had their bank details exposed alongside their NI numbers, addresses, names and dates of birth.
Verity has been forced to roll out data encryption across all of the portable storage devices that it uses, as well as increasing compliance with the data processing standards laid out in the Data Protection Act.
Northgate Arinso, which operates the pension system for Verity, was in fact responsible for the breach. The laptop containing the data was stolen from a server room which should have been locked.
It emerged that the laptop had been loaded with the data for training purposes, but that this was in contravention of an internal policy of only using small amounts of personal data anonymously. Guidelines should only have allowed the use of between 50 and 100 individual elements of personal data.
Security expert Graham Cluley said that firms such as Northgate Arinso needed to ensure that data was properly encrypted during storage as well as rigorously monitored when in use.
Verity has since taken measures to protect the affected individuals and has been working in partnership with an anti-fraud agency in order to neutralise the threat of the exposed data. ICO assistant head Mick Gorill has since confirmed that his organisation was satisfied by Verity’s response to the theft, although it is clear that ICO intervention has helped to highlight the seriousness of this issue.
Cluley believes that the actions of Verity after the theft should allay the fears of the Trustees, but that more still needs to be done to prevent such incidents from occurring in the first place. Cluley referred to the theft as a data accident, although many may consider that with the degree of negligence involved, it is hard to consider such events as accidental.
