The information commissioner has dropped an enforcement notice
against Marks & Spencer after the retailer encrypted every
laptop across the organisation following a major security
breach.
The Information Commissioner's Office (ICO) issued the
enforcement notice in January after it found M&S in breach
of the Data Protection Act, following the theft of an
unecrypted laptop containing the personal information of 26,000
M&S employees.
The laptop, which contained details on employees' names, salary
details, addresses, national insurance numbers, dates of birth and
phone numbers, was stolen from a printing company.
The ICO cancelled the enforcement notice after Marks &
Spencer confirmed it had completed its encryption programme in
July.
Darrell Stein, IT director at M&S, told the ICO in a letter
on 8 July that all 4,352 laptops in the organisation across 11
countries had been encrypted using software from Utimaco.
"Marks & Spencer will continue to ensure that personal data
stored on laptops, including those acquired in future, are
encrypted," he said.
M&S had originally appealed against the enforcement notice,
in a case due to be heard this week, but withdrew the appeal in
mid-July following the ICO's decision to drop the enforcement
notice.
The retailer hired Morse, Computacenter and law firm Field
Fisher Waterhouse to advise on the programme.
The printing firm had the database to allow it to write to
employees about changes in the pension scheme. Marks & Spencer
said the laptop was password-protected.