The Information Commissioner’s Office (ICO) has handed out a £5,000 ($7,500) fine to the owner of a small money-lending firm after an external hard drive full of unencrypted customer data stolen was from his car,
The firm involved, London-based Jala Transport Ltd, suffered the loss on 3 August 2012 when a thief snatched a briefcase containing the drive, documents and £3,600 in cash through an open window while the owner’s car was stationary at traffic lights.
The drive contained a backup database containing the personal data of 250 clients, including their name, address, date of birth, nationality, passport number, driving license information and proof-of-address documents. Despite being protected by an 11-character password it was not encrypted.
The drive has not been found and while none of the individuals in the database have suffered as a result of the loss, the risk of identity theft remains possible. The ICO said it could have imposed a fine of up to £70,000 for the possible breach but had taken into account the resources of Jala Transport and the fact the matter had been voluntarily reported before deciding on the £5,000 fine.
Fines for small sole-trading firms are extremely rare, largely because so few cases are reported, but it appears the ICO wanted to ram home the point that size of no excuse for sloppy data security.
“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected,” said the ICO’s head of enforcement, Stephen Eckersley.
“While the circumstances of this case are unfortunate, if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act,” he said.
Opinion of the ICO’s action was mixed.
“Following criticism that it concentrates on the public sector at the expense of the private, it might be that the ICO is looking to prove its credentials against the private sector too,” said ViaSat UK CEO, Chris McIntosh. “However, one shouldn’t read too much into this: the financial penalty was small, and levied against a single operator who would have very few resources to protest their punishment.”
Nevertheless, the firm had been punished after being a victim of “daylight robbery,” he said.
“What this does suggest is that, regardless of the size of an organisation, the ICO is becoming more strict on the need to at the very least encrypt data. No SME can match the security and protocols put in place by a major enterprise: however, at the very least it seems investing in encrypted hard drives will be increasingly necessary to keep the ICO wolf from the door.”