The Information Commissioner’s Office (ICO) has told small businesses to make sure they encrypt customer data after a sole trader was fined for failing to do so.
Sole trader Jala Transport Ltd in Wembley was fined after it lost a hard drive containing the personal and financial details of 250 customers. The hard drive contained customer names, dates of birth, addresses, the identity documents used to support loan applications, and details of the payments made.
The data was password protected, but not encrypted.
The company was fined £5,000. This would have been £70,000 had Jala Transport Ltd had more resources.
The ICO said it expects all information to be encrypted.
“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected,” said Stephen Eckersley, head of enforcement at the ICO.
Read more on ICO fines
- ICO denies bias against public sector organisations
- London council gets £70,000 penalty for data breach
- ICO fines Glasgow City Council for loss of unencrypted laptops
- ICO hits Stoke-on-Trent City Council with £120,000 fine
“While the circumstances of this case are unfortunate, if the hard drive had been encrypted the business owner would not have left all of its customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act.
“The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure,” he said.
In a blog post, the ICO’s group manager for technology, Simon Rice, said: “Appropriate encryption products are widely available, but it is important that organisations understand the type of protection a particular encryption product offers and the circumstances under which personal data will be protected from unauthorised or unlawful access.”