The Information Commissioner’s Office has found Virgin Media Limited in breach of the Data Protection Act following the loss of an unencrypted CD containing the personal details of over 3,000 customers.
The ICO has now published its view on the breach by Virgin Media Limited which came to public attention in June 2008. The ICO was alerted to the data breach following the loss of a compact disc that was passed to Virgin Media by Carphone Warehouse. The disc contained the personal details of individuals interested in opening a Virgin Media account in a Carphone Warehouse store.
Virgin Media has been ordered to implement a number of security measures to protect customers’ personal information more effectively. The company is required, with immediate effect, to encrypt all portable or mobile devices which store and transmit personal information. Any company processing personal information on behalf of Virgin Media must also use encryption software, a requirement which must be clearly stated in all contracts.
The ICO has required Virgin Media to sign a formal undertaking to comply with the principles of the Data Protection Act. Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO. The terms of the undertaking can be viewed here.
Mick Gorrill, Assistant Commissioner at the ICO, said: ‘The Information Commissioner’s Office takes all breaches of data security seriously. Customers must feel confident that their personal information will be handled properly by an organisation and, importantly, that their details will not be accessed by a third party. The Data Protection Act clearly states that organisations must keep personal information secure. Virgin Media recognises the seriousness of this data loss and has agreed to take the immediate remedial action that we have outlined in order to protect its customers’ personal details.’