Insurer hit with fine after unencrypted NAS stolen

Royal & Sun Alliance (RSA) has been handed a big fine by the Information Commissioner (ICO) for losing a networked hard drive full of unencrypted customer data in strange circumstances.

The facts of the case are that at some point between May and July 2015 (the lack of certainty is indicative), a Network Attached Storage (NAS) disappeared from a server room at the company’s Horsham site.

What went with it was a database containing 59,592 customer records, including names, addresses, bank and sort numbers. In 20,000 cases, credit card primary account numbers were also mentioned, although not expiry dates or CVV numbers.

The lack of encryption is one takeaway, although password protection was in place. The more incredible aspect of the incident is that nobody at RSA noticed that something as big and important as a NAS containing customer data had mysteriously been taken offline, apparently while it was still in use.

It then took weeks for anyone to notice the drive was no longer physically in the server room, supposedly a secure location. There was no CCTV in operation and it seems that up to 40 staff members, including contractors, visited the room unaccompanied.

Announcing a £150,000 ($185,000) fine for the loss, Steve Eckersley, the ICO’s head of enforcement, was perhaps stating the obvious when he said: “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.” However, despite that, the fine fell short of the maximum of £500,000 that could have been imposed.

We’ve been here before – numerous times in fact.

The firecracker at the start of this era was probably the £980,000 fine on Nationwide Building Society in 2007 after a laptop containing the unencrypted customer data of nearly 11m people was stolen from an employee’s home.

Issued by the Financial Service Authority (FSA), the City watchdog at the time, rather than the ICO, the fine has gone down in history for its record size. It was seen as a warning, and security heads duly took note. Despite its awkwardness and expense, encryption spread.

And yet incidents have continued to happen on a smaller scale, including Glasgow Council’s loss of dozens of unencrypted laptop in 2013, the same year NHS Surrey was fined £200,000 for allowing someone to buy a hard drive that still had 3,000 patient records on it.

Even government itself has found itself on the wrong end of fines, such as the £180,000 enforcement sent to the Ministry of Justice in 2014 for losing an unencrypted backup drive.

It’s not as if organisations can’t say they weren’t warned. Over the years, the ICO has issued a number of high-profile recommendations about the need for data encryption under the Data Protection Act (DPA), the latest of which appeared a year ago.

The question of the effect of fines is an interesting one. Critics regularly decry token fines for serious data loss incidents while the opposite view is that they are more about public embarrassment than monetary pain. However, fines under the forthcoming European General Data Protection Regulation (GDPR), due to take effect next year, will be big enough to focus minds further on security: they will be either up to €20m or up to 4% of global turnover.

The less discussed issue is how long it often takes organisations to discover the loss of drives. GDPR gets tough here, too, with strict new standards for breach notification (including physical loss of data). In whatever form Brexit unfolds, UK organisations will still find this de facto change in regulation impossible to ignore.