LONDON – After the theft of a laptop with personal information on 26,000 employees, British retailer Marks & Spencer has been given two months to encrypt all its notbeook hard drives.
The order, from the Information Commissioner’s Office (ICO), follows the theft of an unencrypted laptop from an M & S contractor with details of the pension arrangements of the retailer’s employees.
“In light of the nature of the information contained on the laptop, it is the ICO’s view that M&S should have had appropriate encryption measures in place to keep the data secure, the commissioner’s office said.
The ICO has issued M&S with an enforcement notice which orders the company to ensure that all laptop hard drives are fully encrypted by April. Failure to comply with the notice is a criminal offense and may result in the ICO taking further action against the company.
“It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption,” said Mick Gorrill, assistant commissioner at the ICO.
“The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.”
Responding to the loss of 25 million child benefit records last year, Prime Minister Gordon Brown announced that the ICO would be given increased powers to conduct spot-checks of government departments. The information commissioner wants these powers to be extended to cover all public bodies and private sector organizations.