Warning for small businesses about importance of encryption

The Information Commissioner’s Office (ICO) has warned small businesses that they must make sure they have adequate measures in place to keep customers’ details secure, after a sole trader was fined £5,000.

Jala Transport Ltd, a Wembley-based loans company, received the penalty after the loss of a hard drive containing financial details relating to all of the sole proprietor’s approximately 250 customers.

The hard drive was lost after it was stolen from the business owner’s car while it was stationary at a set of traffic lights in London on 3 August 2012. The external hard drive was in a case with some documents and £3,600 in cash. The hard drive was password protected, but crucially not encrypted, and included details of the customers’ name, date of birth, address, the identity documents used to support the loan application and details of the payments made.

The ICO expects all information to be encrypted where the loss of the data could lead to those affected suffering damage and distress. The initial incident would have resulted in a penalty of £70,000 being imposed, but the limited financial resources of the company resulted in the penalty being lowered to £5,000. The ICO also considered that the data breach was voluntarily reported.

ICO Head of Enforcement, Stephen Eckersley, said:

“We have continued to warn organisations of all sizes that they must encrypt any personal data stored on portable devices, where the loss of the information could cause clear damage and distress to the customers affected.

“While the circumstances of this case are unfortunate, if the hard drive had been encrypted the business owner would not have left all of their customers open to the threat of identity theft and would not be facing a £5,000 penalty following a serious breach of the Data Protection Act.

“The penalty will have a real impact on this business and should act as a warning to all businesses owners that they must take adequate steps to keep customers’ information secure.”

The ICO’s Group Manager for Technology, Simon Rice, has published a blog explaining the importance of encryption and the options available to organisations that need to encrypt their data.

In the blog Simon Rice explains that:

“Encryption software uses a complex series of mathematical algorithms to protect and encrypt information. This hides the underlying data and prevents any inadvertent access to, or unauthorised disclosure of, the information. This means that even if a device containing personal information is lost or stolen, the information will remain secure as long as the would-be data thief isn’t able to access the encryption key required to crack the algorithm.

“Appropriate encryption products are widely available, but it is important that organisations understand the type of protection a particular encryption product offers and the circumstances under which personal data will be protected from unauthorised or unlawful access.”

Should you wish any guidance with regard to encryption and other computer security related issues, please contact Mark Morris, our head of Computer Forensics, or any of the team at BGP.