Marks & Spencer has been given two months to encrypt all its laptop hard drives.
The order, from the Information Commissioner's Office (ICO), follows the theft last May of an unencrypted laptop which contained the personal information of 26,000 M&S employees.
The laptop contained details of the pension arrangements of M&S employees and was stolen from the home of an M&S contractor.
"In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure," the commissioner’s office said.
The ICO has issued M&S with an enforcement notice which orders the company to ensure that all laptop hard drives are fully encrypted by April. Failure to comply with the notice is a criminal offence and may result in the ICO taking further action against the company.
Mick Gorrill, assistant commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.
"The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act."
Responding to the loss of 25 million child benefit records last year, Gordon Brown announced that the ICO would be given increased powers to conduct spot-checks of government departments. The information commissioner wants these powers to be extended to cover all public bodies and private sector organisations.