The Information Commissioner’s Office (ICO) has become involved in a data loss incident involving Yorkshire Building Society (YBS) after it emerged that the firm had become the victim of laptop theft.
The laptop which was stolen is deemed to be particularly vulnerable to exploitation because it is completely unencrypted, leaving personal financial details of customers exposed to third parties.
Earlier in the year the ICO was granted new powers to dole out fines of up to half a million pounds to businesses and organisations which breach the Data Protection Act (DPA) with such incidents as this. However, it has not decided to impose this maximum fine as yet and instead has requested that YBS commit to a formal undertaking which will work to improve data protection policy.
In order to warrant a fine, a data loss incident must actively and deliberately have caused damage, whether financial or otherwise, to a particular member of the public, according to an ICO statement. The regulator will also take onboard the level of cooperation it receives from the implicated business and in this case YBS has been compliant and helpful and as such has avoided a financial penalty.
The ICO’s Mick Gorrill said that the stolen laptop is of grave concern in this particular instance not just because it was unencrypted but also because of the sheer amount of customer information which it was known to contain. Amongst this information were passwords and login details and thieves managed to access the laptop because it was left unprotected outside of working hours.
Mr Gorrill explained that the YBS employee responsible for the laptop’s safety was putting the data at unnecessary risk because there was no need for such a large amount of information to be stored on the laptop for standard purposes. He said that employees should have limited access to data, with only that which is essential for work being available on portable devices.
Mr Gorrill said that YBS had acted appropriately in the circumstances and was fully cooperating with the formal undertaking which will ideally stifle the chances of such a data loss repeating in the future.
