Published 14th of February 2017
The Information Commissioners Office has fined Royal & Sun Alliance Insurance PLC (RSA) £150,000 following the loss of the personal information of nearly 60,000 customers.
The investigation looked at the theft of a hard drive device containing 59,592 customers’ names, addresses and bank account details including account numbers and sort codes. The device also held limited credit card details of 20,000 customers, although CVC numbers and expiry dates were not affected.
The ICO enforcement officers found that RSA did not have the appropriate measures in place to protect financial information by preventing the theft at its offices in West Sussex from happening. The device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered.
Steve Eckersley, ICO Head of Enforcement said:
“Customers put their trust in companies to keep their information safe, particularly financial information. When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.”
Shredall SDS Group Director, Lucy Shipley comments “As a company we specialise in information management and we know that the security of your documents and data is of paramount importance. It is something we would never compromise, and we’ve invested heavily in our facilities, processes, security systems and staff training to ensure we maintain the highest levels of securityat all times.”
Shredall SDS Group Compliance manager, Carole, continues
“when a company uses hard drives and data of such importance they should always consider drawing on the experience of information security specialists and service providers such as the Shredall SDS Group. Customers who choose to partner with us, benefit from our long-standing information security awareness – underpinned by Group-wide ISO 27001 accreditation and implementation of industry best practice, such as BS EN 15713 for the secure destruction of confidential material.”
“As part of our ISO 27001, we scrutinise our business regularly via our information security risk assessment process, which enables us to put in place measures to maximise security from within – in addition to satisfying the security requirements of our customers (who expect, quite rightly, the highest levels of security from the Custodians of their information)!”
Shredall SDS Group measures include multi-tiered physical security and access controls across our premises, the application of BS 7858 for the security screening of our employees, including refreshable DBS checks, information security training for all, information security agreements with contractors, a documented encryption policy and the secure management of end-of-life IT equipment – and much, much more.
Lucy comments “With 20 years’ experience in information management and destruction, including a clear notice history with the ICO, we have a lot to offer customers seeking to enhance their own information security procedures through a trusted contractor.”
Carole continues “As Compliance Manager for the Group, I cannot emphasize enough that the potential long-term costs and implications of poor compliance are higher and more damaging to the reputation and growth of a business than the investment costs and benefits of good compliance from the outset. The Shredall SDS Group keeps all compliance issues high on its management agenda, incorporating information security, health & safety, environment and quality at all times, and is ever mindful of fast-changing customer needs and expectations.”