When is a locked server room not secure enough?

The Royal & Sun Alliance Insurance have been fined £150,000 by the ICO for failing to keep customers’ information safe when a portable ‘Network Attached Storage’ device containing nearly 60,000 customers disappeared from a secure server room.

According to the Monetary Penalty Notice the device was password protected but unencrypted. It was taken from a secure server room that required an access card and key.

The Commissioner states that the RSA did not have in place appropriate technical and organisational measures for ensuring so far as possible that such an incident would not occur. In particular:

(a) RSA did not encrypt the datasets prior to loading them on the device.

(b) RSA failed to physically secure the device in the server room.

(c) RSA failed to routinely monitor whether the device was still online and (if not) raise the alarm.

(d) RSA did not have CCTV installed inside the server room.

(e) RSA failed to restrict access to the server room to essential staff and contractors.

(f) RSA permitted its staff and contractors to access the DSR unaccompanied.

(g) RSA failed to monitor access to the server room.