The Information Commissioner’s Office has found Amicus Legal Ltd in breach of the Data Protection Act after reporting a laptop computer containing personal information relating to 100,000 customers was stolen. The laptop, privately owned by a contracted consultant, was not encrypted.
Amicus Legal has signed a formal undertaking outlining that it will take reasonable measures to keep personal information secure in future. The Undertaking has been signed on behalf of Amicus Legal Ltd by the Chief Executive, Andy Tomkins. Amicus Legal Ltd will ensure appropriate security measures are implemented to protect personal information more effectively. For example, all portable and mobile devices which are used to store and transmit personal information must be encrypted, with immediate effect.
Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: ‘We are investigating a number of the most serious reported data breaches. This case was serious because it involved the data of 100,000 customers, including sensitive information relating to legal advice. This breach illustrates that even though a contractor lost the data, it is the data controller (Amicus Legal Ltd) which is responsible for the security of the information. It is vital that personal information is handled properly and in compliance with the Data Protection Act. Since November 2007, 161 data security breaches have been reported to the ICO by the private sector. We urge all CEOs and their senior management teams to take personal responsibility for treating data protection as a corporate governance issue affecting the whole organisation. They have to make sure that safeguarding the personal information of customers and staff is embedded in their organisational culture.’
Failure to meet the terms of the undertaking is likely to lead to enforcement action by the ICO. A copy of the undertaking can be downloaded from http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx.