Kent-based insurance firm
Jubilee Managing
Agency has been found in breach of the
Data
Protection Act by the Information Commissioner's Office.
The case highlights the importance of
encrypting data on any device to ensure that information is
safe even if it gets into the wrong hands.
Jubilee Managing Agency, which is part of Lloyds, lost an
unencrypted disc which contained the personal details of 2,100
people.
A
review found a lack of detailed data security procedures and
policies, and insufficient staff training in the agency.
Sally-anne Poole, head of enforcement and investigations at the
Information Commissioner's
Office (ICO), said that since November 2007, 161 data security
breaches have been reported to the ICO in the private sector.
"We urge all CEOs and their senior management teams to ensure
data protection is treated as a corporate governance issue
affecting the whole organisation. All organisations need to make
sure that safeguarding the personal information of customers and
staff is embedded in their organisational culture."
Andrew Kahl, co-founder at security suppler
Credant Technologies, said
although the insurance firm blamed the data breach on a
lack of staff training and poor data handling procedures, there
is no excuse for not encrypting data.
"The reality is that all firms need to adhere to IT security
policies involving encryption of staff and customers' personal
data," he said.
Richard Taylor, director at business consultancy LPI2, said
there is a move in the insurance sector towards using digital
rights management software to protect data. This software make data
inaccessible if, for example, it is put onto a different device
from the one it legitimately resides on.
He said insurance companies are particularly vulnerable to data
theft because they have to keep information for many years to help
them calculate their insurance charges.