ICO raps insurance firm for data breach


The Information Commissioner's Office (ICO) has taken action against an insurance company following a data breach affecting 2,100 policyholders.

Kent-based Jubilee Managing Agency, part of Lloyd's, lost an unencrypted disk holding the information, and was forced by the ICO to sign a "formal undertaking" essentially a promise to improve its data protection methods.

The ICO blamed the breach on the firm's lack of staff training and poor data handling procedures.

The ICO said that some of the data held on the disk was over 10 years old and referenced policies that had since been cancelled or were for people who had since died.

"This case is not only a reminder that the appropriate safeguards should be in place to protect personal information, but that organisations must ensure information is accurate and up to date," said Sally-anne Poole, Head of Enforcement & Investigations at the ICO, in a statement.

"Organisations should only retain personal information for as long as necessary," she added. "It is a matter of some concern to us that expired policies, including financial details, were still available and stored on unencrypted devices."

The ICO noted that there has been 161 reported data breaches in the private sector since November 2007.

Click here for lessons about data breaches we all should have learned by now.