Yorkshire Building Society will take "remedial steps" following a data breach earlier this year when an unencrypted laptop containing customer details was stolen from its Cheltenham premises.
Iain Cornish, Yorkshire Building Society's chief executive, signed an agreement with the Information Commissioner's Office (ICO) following the breach of the Data Protection Act. Undertakings include regularly monitoring compliance with policies on data protection and IT security, using encryption software on all portable devices and limiting staff access to personal data to only that needed for their work.
Mick Gorrill, head of enforcement at the ICO, said, "It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords. What's more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out.
"I am pleased that the Yorkshire Building Society took such prompt and effective action and am satisfied that steps are now in place to prevent this happening again," added Gorrill.
The laptop was stolen in April this year and was recovered within 48 hours by private investigators. Forensic investigations revealed data was not accessed, although there had been several attempts to do so.
An NHS Trust also came under fire from the ICO this week after the loss of a CD containing the unencrypted records of 112 patients.