ICO Slaps Insurers RSA With £150,000 Fine After Data Protection ‘Failure’

data protection

An unencrypted hard drive containing customer’s names, addresses and bank account details was stolen

The Information Commissioner’s Office (ICO) has fined the Royal & Sun Alliance Insurance  (RSA) £150,000 following the loss of the personal information of nearly 60,000 customers.

The ICO slammed RSA for its “failure” to take “adequate precautions to protect customer information,” citing the lack of encryption, security and monitoring of its equipment.

The fine relates to the theft of a hard drive from RSA’s offices in West Sussex containing the personal information of 59,592 customers, including names, addresses and bank account details such as account numbers and sort codes.


Security failings

Twenty-thousand customers also had their credit card details stored on the device, although it is believed that CVC numbers and expiry dates were not affected,

According to the investigation carried out by ICO enforcement officers, the device was stolen by either a member of staff or a contractor and RSA did not have the appropriate security measures in places to protect the information from being accessed.

Steve Eckersley, ICO Head of Enforcement said: “Customers put their trust in companies to keep their information safe, particularly financial information. When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.”

“There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

The ICO has certainly not been shy to dish out financial penalties over the last few months. Back in October it fined TalkTalk a record £400,000 for the security failings which resulted in its now infamous data breach, before then fining two of the UK’s biggest charities for breaching data protection regulations.

And, in an ironic twist, the organisation confirmed last week that it also investigated itself 
for failing to meet British data protection laws in a number of cases over the last four years.

Quiz: Are you a privacy expert?