Insurance firm breaches Data Protection Act

Details of 100,000 customers were on unencrypted laptop which was stolen

The laptop was lost by a contractor

The Information Commissioner’s Office (ICO) has found insurer Amicus Legal in breach of the Data Protection Act after the firm reported an unencrypted laptop was stolen containing personal information relating to 100,000 customers.

Andy Tomkins, Amicus Legal chief executive, has signed a formal undertaking outlining that the firm will take reasonable measures to keep personal information secure in future, including encrypting all portable devices.

Sally-Anne Poole, ICO head of enforcement and investigations, said the case was serious because it involved the data of 100,000 customers, including sensitive information relating to legal advice.

"This breach illustrates that even though a contractor lost the data, it is the data controller – Amicus Legal – which is responsible for the security of the information. It is vital that personal information is handled properly and in compliance with the Data Protection Act," she said.

Since November 2007, 161 data security breaches have been reported to the ICO from the private sector.

Poole urged all chief executives to take personal responsibility for treating data protection as a corporate governance issue affecting the whole organisation.

"They have to make sure that safeguarding the personal information of customers and staff is embedded in their organisational culture," she said.

The ICO said failure to meet the terms of the undertaking is likely to lead to further enforcement action.