From the Information Commissioner’s Office:
A financial services company with operations in the UK, USA and Middle East breached the Data Protection Act by losing over 600 customers’ personal details, the Information Commissioner’s Office (ICO) said today.
E*Trade Securities Ltd discovered that a large number of customer files were missing in April 2010 when they were asked to retrieve archived documents held in a storage facility in the UK. Files containing 608 customers’ personal data remain missing, most of the files included identification documents, proof of address and account application forms.
The company informed the ICO about the breach in December 2010 after all attempts to find the information had failed. Initial enquiries found that E*Trade Securities Ltd did not have a formal agreement in place with the contractor responsible for securely storing their client data.
The company has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.
Head of Enforcement, Steve Eckersley, said:
“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure.
“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”.
The undertaking provides some additional details on the breach, which was not reported in the media at the time:
… files containing personal data relating to ETSL clients resident in the Middle East had been identified as missing from storage in the UK. Approximately 608 client files were couriered from ETSL-Dubai and placed in storage with a data processor. The files contained limited sensitive personal data, including copies of certified identification documents, application forms and client address.
The files were identified as missing when the Dubai Financial Services Authority (DFSA) sought to review them and they could not be located. The Commissioner’s investigation revealed that the data controller had no contractual agreement “made and evidenced in writing” with their UK data processor. Instructions on the security and processing of this personal data were not provided by the data controller to their data processor.