Royal London Mutual Insurance Society Security Breached – Action Taken

The UK’s Information Commissioner’s Office (ICO) has found that after 8 laptops were stolen from the company’s Edinburgh offices, the Royal London Mutual Insurance Society was in breach of the Data Protection Act (DPA).  2 of the laptops contained the personal details of 2,135 people.  Those affected were employees of firms which had sought pension scheme illustrations.

The laptops containing personal information were unencrypted but were password protected.  This is a common mistake made by management and IT folks alike.  Password protection can be easily circumvented.  Usually moving the hard disk into another computer is enough, but there are also TOOLS available to those who have their minds set on accessing your PII.  An internal report showed that the company was uncertain about the precise location of the laptops at times, and that physical security measures were inadequate.  Managers were not aware that personal information was stored on any of the laptops, meaning no additional precautions secure the data had been taken.

The CEO has signed an Official Undertaking to ensure that portable and mobile devices are encrypted going forward.  The Undertaking also requires appropriate physical security measures to be put in place.  Learn a lesson from the mistakes of others.  Learn to sleep at night, adopt encryption on all mobile devices, and consider it for ALL electronic devices, PERIOD.  It is not a silver bullet for all of your security concerns, but it is definitely high-caliber ammunition!

ICO Enforcement