Information Commissioner orders Marks & Spencer to encrypt data after laptop theft

The Information Commissioner's Office (ICO) has taken enforcement action against Marks & Spencer, with the retailer ordered to encrypt all hard drives by April 2008.

The ICO found Marks & Spencer in breach of the Data Protection Act. This followed the theft of an unencrypted laptop last year, which contained the personal information of 26,000 M&S employees.

An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor.

In light of the nature of the information contained on the laptop, Marks & Spencer should have had appropriate encryption measures in place to keep the data secure, said the Information Commissioner's Office.

Mick Gorrill, assistant commissioner at the ICO, said, "It is essential that before a company allows personal information to leave its premises on a laptop, there are adequate security procedures in place to protect personal information, for example, password protection and encryption.

"The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act."

The ICO has now issued Marks & Spencer with an enforcement notice, which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008.

Failure to comply with the enforcement notice is a criminal offence and may result in the ICO taking further action against the company.

Last year, prime minister Gordon Brown announced that the Information Commissioner's Office would be given increased powers to conduct spot checks on government departments. The information commissioner has called for these powers to be extended to cover all public bodies and private sector organisations too.

Information commissioner's plea to businesses >>

Data breaches need policing, warns consumer body >>

What CIOs should be doing about security in 2008 >>