News

Marks & Spencer in the clear over loss of staff data

Warwick Ashford

The information commissioner has dropped an enforcement notice against Marks & Spencer after the retailer encrypted every laptop across the organisation following a major security breach.

The Information Commissioner's Office (ICO) issued the enforcement notice in January after it found M&S in breach of the Data Protection Act, following the theft of an unecrypted laptop containing the personal information of 26,000 M&S employees.

The laptop, which contained details on employees' names, salary details, addresses, national insurance numbers, dates of birth and phone numbers, was stolen from a printing company.

The ICO cancelled the enforcement notice after Marks & Spencer confirmed it had completed its encryption programme in July.

Darrell Stein, IT director at M&S, told the ICO in a letter on 8 July that all 4,352 laptops in the organisation across 11 countries had been encrypted using software from Utimaco.

"Marks & Spencer will continue to ensure that personal data stored on laptops, including those acquired in future, are encrypted," he said.

M&S had originally appealed against the enforcement notice, in a case due to be heard this week, but withdrew the appeal in mid-July following the ICO's decision to drop the enforcement notice.

The retailer hired Morse, Computacenter and law firm Field Fisher Waterhouse to advise on the programme.

The printing firm had the database to allow it to write to employees about changes in the pension scheme. Marks & Spencer said the laptop was password-protected.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy