People entering the building.

RSA: ICO issues £150,000 fine

Published on 20 March 2017

The ICO has fined Royal & Sun Alliance (RSA) £150,000 for losing the personal information of nearly 60,000 customers.

The facts

Between May and July 2015, a hard drive containing 59,592 customer names, addresses and bank details (including 20,000 credit card numbers) was stolen by a member of staff or contractor from RSA’s premises in Horsham. An access card and key were required to access the room where the device was held but some 40 of RSA’s staff and contractors (some of whom were non-essential) could access the room unaccompanied. The device was password protected but not encrypted and has not  been recovered.

The decision

The ICO found that RSA failed to take appropriate technical and organisational measures to defend against the unauthorised or unlawful processing of personal data. In particular, the ICO found that RSA:

• did not encrypt the datasets
• failed to physically secure the device within the premises
• failed to routinely monitor the device
• did not have CCTV installed
• failed to restrict access to the premises to essential staff and contractors
• permitted staff and contractors to access the premises unaccompanied
• failed to monitor access to the premises.

Steve Eckersley, Head of Enforcement at the ICO, said “there are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of the equipment. RSA did not do any of this and that’s why we’ve issued this fine”.

Why is this important?
Currently, the maximum fine the ICO can impose is £500,000. However, the introduction of the GDPR in May 2018 will enable national regulators to impose fines of up to €20m or 4% of total worldwide annual turnover, which is likely to encourage businesses to make every effort to keep personal data secure.

Any practical tips?

Review security policies, staff training and supervision to minimise the risk of a data breach. In particular, ensure that:

•non-essential personnel do not have access to personal data
• person data is secured both physically (eg by limiting access to where it is stored) and technologically (eg by using a suitably complex passwords and encryption).