The UK government's Information Commissioner has found Skipton Financial Services (SFS) in breach of the Data Protection Act following the theft of an unencrypted laptop containing the personal information of 14,000 SFS customers.
The machine which, was reported lost in December 2007, held dates of birth, national insurance numbers and investment amounts, and was stolen from an SFS contractor working for Moore Stephens Consulting.
The Information Commissioner's Office said that Skipton should have used encryption to keep the data safe, but it is taking no action against the organisation for the security breach.
Instead it has agreed an undertaking with the financial services organisation over future security standards.
Sensitive information on laptops used by SFS staff or contractors must be encrypted in future and the organisation will also carry out risk assessments where third parties are processing data on its behalf.
Mick Gorrill, assistant commissioner at the ICO, said: "It is not always possible to prevent the theft of mobile devices such as laptops, but it is possible to minimise the damage caused by such losses.
"Companies must introduce adequate security procedures and safeguards, for example password protection and encryption, to protect personal information before it is allowed to leave the premises on a laptop. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.
"Organisations which process personal information must ensure that information is secure — this is an important principle of the Act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers."