In London, the Jubilee Managing Agency which is part of Lloyds and the parent of automobile insurance provider Jubilee Motor Policies, breached the Data Protection Act (DPA) by misplacing an unencrypted disk containing the personal details of around 2,100 UK policyholders.  The Information Commissioners Office (ICO) is the UK’s independent authority set up to promote access to official information and to protect personal information.  The have required that Jubilee agree to complete a formal undertaking in which it promises to take reasonable measures to keep personal information secure in the future.

The ICO said that Jubilee suffered from a lack of detailed data security procedures and policies, and insufficient staff training.  Insurance companies are particularly vulnerable to data theft because they have to keep information for many years to help them calculate their insurance charges.  But the need to keep the data and the need to keep the data unencrypted on personal computers should be two different things.

Sally-Anne Poole, head of enforcement and investigations at the Information Commissioner’s Office (ICO), said that since November 2007, 161 data security breaches have been reported to the ICO in the private sector. Poole notes “We urge all CEOs and their senior management teams to ensure data protection is treated as a corporate governance issue affecting the whole organisation. All organisations need to make sure that safeguarding the personal information of customers and staff is embedded in their organisational culture.”

Meanwhile, thousands of miles away, 6,000 current and former employees at Sutter Health in Sacramento, California are being notified that they should keep an eye on their credit reports.  This breach is a clear example where had a data security measure like laptop encryption software been used; the entire incident could have been avoided.

This leak was discovered by a computer repair shop which found the data on an old laptop that had been brought in for repair. Until they were contacted by the computer repair shop, Sutter Health’s records had shown that the computer was in the possession of a Sutter employee since 2007.  Fortunately for Sutter, when a computer repair shop employee realized that sensitive information on the computer, the company immediately contacted Sutter.

The solution seems so obvious – but only in hindsight was it obvious to this company. Sutter is quite belatedly starting to use encryption software on all its laptop computers.  Furthermore, training has been established so all employees know not to save files locally, on hard drives, but to save them instead on network drives that can be monitored and secured by the company.

While full details were not released in the London case – both instances appear to be dealing with disk drives that quite simply had fallen off the active inventorying by the company.  It’s just another reason for laptop encryption software- even when mistakes happen, this software will keep an “organization” or an “organisation” covered around the world.