The UK’s Information Commissioner’s Office (ICO) recently fined Royal & Sun Alliance Insurance PLC (RSA) £150,000 ($186,000) after a hard drive device containing personal information of nearly 60,000 customers was stolen. The device contained names, addresses, bank account details, and limited credit card information. The device was stolen between mid-May and late July 2015 by a staff member or contractor who had access to the data server room at one of RSA’s offices. While the ICO stated it has no evidence that the information has been further disseminated or accessed by third parties, or used for fraudulent purposes, it concluded that RSA violated the Data Protection Act by failing to take appropriate technical and organizational measures to prevent that type of incident from occurring, including not restricting access to the server room and failing to physically secure the device. While the device was password protected, the ICO indicated that RSA did not encrypt the device, and did not routinely monitor the equipment. The violations, while determined not to be deliberate, dated back to April 2013 when RSA acquired the device and lasted until July 2015.
TIP: While much of the focus in today’s environment is on protecting consumer information from cyber-attacks, physical data loss stemming from lost or stolen computer equipment and paper files also poses a threat to consumer privacy. Companies should thus make sure to take appropriate steps to protect consumer data from physical theft.