Data protection ICO fines company for data breach

The Information Commissioner’s Office (ICO) has fined a nationwide money lender £180,000 for failing to keep customers’ personal information secure. The fine illustrates, once again, the importance for businesses of being aware of their obligations under the Data Protection Act 1998.

In this case, one server was stolen from a company office and a second server was lost while being transported from the firm’s head office to a branch. Both servers held customer records and records relating to the company’s employees. The ICO found that the company did not encrypt the personal data held on its servers. In addition, some of its branches did not have a “safe haven” (in which to lock a server holding personal data overnight) or alternative physical security measures. The ICO considered that the loss of unencrypted personal data could cause distress and damage to the company’s customers if, for example, it was used for fraudulent purposes.