Theft of Laptop Containing Unencrypted Personal Data Results in £60,000 Fine to Employer

One of the most common forms of security breach is the theft of laptops containing personal information.  Laptops get stolen from homes, vehicles and businesses, get left on planes and trains, or are just plain lost.

Seyfarth Shaw has already been recommending that companies (including employers) encrypt laptops that contain an individual’s personal information for two major reasons: 1) Encryption can avoid the necessity to send out data security breach notices (under state laws and HIPAA) to the affected individuals—saving a company substantial costs; and 2) Massachusetts security regulations require encryption.

Now there is a third reason—enforcement.  On November 22, 2010, the United Kingdom’s Information Commissioner levied a £60,000 (approximately, $94,669) fine against an employment services company whose employee had a laptop stolen from her home.

The scenario is not particularly uncommon. The employee worked from home and left the laptop computer on her dining room table.  The laptop contained sensitive and personal information relating to 24,000 clients, including name, postcode, date of birth and gender.  Some of the data, such as ethnicity, disability status, employment status and income level, was coded, but the codes were explained in a document that also was on the laptop.

The information commissioner found that even though the employer had a policy that sensitive information should not be put on laptops and that laptops should be secured when not in use, and was rolling out encryption software to its employees, the employer had failed to take appropriate technical and organizational measures against the accidental loss of personal data held on the laptop.

The commissioner was not particularly sympathetic to the employer, because the employer had furnished the employee with a laptop computer with the knowledge that it would be used for home working and would have been aware from the start of the amount and nature of the personal data she would be processing on the laptop from home.  The commissioner found that the employer should have encrypted the laptop computer before it was issued to the employee rather than leave it to the employee to arrange encryption.  Therefore, the commissioner found that the employer should have encrypted the data or the laptop computer and provided the employee with security devices for the laptop computer, such as a computer lock.

While this is obviously a UK decision, employers in the United States should take note.  If this had happened in the United States, and the laptop had personal information (particularly a Social Security number) regarding Massachusetts residents, the employer would likely have been in violation of the Massachusetts security regulations.  In addition, the laws of several states, in addition to the federal laws HIPAA (health information), GLB (financial information) and COPPA (children’s information) and the recently introduced federal Data Security and Breach Notification Act of 2010 (not enacted), require “reasonable” security measures related to personal information.

It is probably only a matter of time before a regulator determines that failing to encrypt or secure a laptop computer containing personal information is not “reasonable” and that a similar breach results in enforcement in the United States.

While a full discussion of security is beyond the scope of this memo, other security measures to consider are, among other things, the nature and extent of the personal data regarding a customer or employee which really needs to be used, which employees, if any, should have the right to utilize data on a laptop and considering substitutes for SSN (the last 4 digits of the SSN or a hash of part of the SSN and a person’s name) can be used.  In addition, similar requirements should be imposed on vendors who receive personal data.

For more information, please contact the Seyfarth attorney with whom you work, or any Labor and Employment attorney on our website.