The Information Commissioner has fined two organisations a total of £160,000, in the first two penalties issued for “serious” data breaches.
Employment and training firm A4e, based in Sheffield, was fined £60,000 in an IT security breach, after it lost an unencrypted laptop containing the data of 24,000 people.
Additionally, Hertfordshire County Council, which faxed details of a child abuse case to a member of the public, was fined £100,000. last month the council won an IT excellence award.
The laptop-related breach at A4e took place in June. The company had lent an unencrypted notebook to an employee to work at home.
The machine, which contained the data of 24,000 people, was subsequently stolen from the employee’s house. The theft came at a time A4e was attempting to improve security procedures, including beginning to introduce full encryption and better policies.
The information lost was sensitive personal data on people who had used community legal advice centres in Leicester and Hull. Details included names, postcodes, dates of birth, employment, benefits and salary information, criminal allegations and whether individuals had said they were victims of violent crimes.
A4e, which informed the ICO of the incident and notified the 24,000 people whose data was lost, was found not to have taken “reasonable” steps to avoid the problem.
Information Commissioner Christopher Graham questioned why A4e had not encrypted a laptop containing so much personal information, and why that laptop was given to an employee.
The laptop theft, while less substantial than the council’s sex abuse faxes, warranted “nothing less than a monetary penalty”, Graham said. Thousands of people's privacy “was potentially compromised by the company's failure to take the simple step of encrypting the data".
The council’s faxes were mistakenly sent to a member of the public and a barrister instead of to a court. The authority apologised for the incident.
Graham stated: "These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
A4e chief executive Andrew Dutton apologised for the incident and said his company acted “very swiftly” when it was aware ofwhat had happened, including notifying the ICO, customers, partners and the police.
"This incident occurred as a result of a breach of our security procedures,” he said. “It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.”
Graham has also argued for jail sentences of up to two years for serious data breaches. But so far the government has turned down the demands.
Chris McIntosh, chief executive at encryption technology firm Stonewood, said the A4e fine could be less than it would have cost to encrypt its technology estate. But he added that it was a "welcome sight to see the Information Commissioner's Office finally lay its cards on the line and issue fines for losing unencrypted data".
Last week, internet search giant Google was ordered by the ICO to improve security procedures after it accidentally collected information on unencrypted Wi-Fi routers, including fragments of data transmitted by those routers. But it did not receive a fine.