The Information Commissioner’s Office (ICO) has criticised Panasonic after an unencrypted laptop was stolen, containing personal information on 970 people.
The device was stolen from an employee of a unnamed third-party firm that Panasonic had hired to help it put on an event at a hotel. The laptop data included names, addresses, contact details, dates of birth, passport details and emergency contact details.
The ICO discovered that the passport information was only needed for overseas guests staying at the hotel, but that passport data on all guests was collected as it was felt it might be useful in an emergency.
The laptop was password protected, but did not have encryption or physical security. The ICO said that although Panasonic’s own data-protection policies were comprehensive, it had never communicated these to the third party.
The firm's UK managing director Andrew Denham has now signed an undertaking to improve its data protection policies. In a statement Denham said the firm was already working on this requirements.
"With reference to the statement on the ICO's website, we are currently taking steps to ensure full compliance with the ICO's Undertaking and further strengthen our current procedures to avoid a similar incident in the future," he said.
The ICO explained that although the third party firm had lost the data, Panasonic was responsible for ensuring its security.
“Businesses must remember they are ultimately responsible for making sure the personal information they use is looked after at all times in compliance with the Data Protection Act. This includes when they are contracting out the use of their information to another service provider," they said.
“In this case Panasonic failed to make sure that their own existing policies for looking after their data were being followed by their contractor. If they had then this incident would, in all likelihood, have been avoided. The contract they had in place with the provider was also extremely limited when it came to explaining how personal information should be kept secure."
The incident is the second the ICO has ruled on this week, after it criticised the Royal Veterinary College (RVC) for failing to implement bring your own device policies after sensitive data, which was stored on a staff-owned device, was lost.
Unencrypted devices are frequently the cause of data loss incidents. Despite numerous incidents and warnings from the ICO, firms are still failing to adequetely protect their data, with the ICO again urging organisations to understand their security obligations for data.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago