Marks & Spencer (M&S) has been found to be in breach of data protection laws, following the theft of an unencrypted laptop containing the personal details of 26,000 employees.

An investigation by the Information Commissioner's Office (ICO) revealed that the laptop, which contained M&S employees' pension details, was stolen from the home of an M&S contractor.

The ICO has since issued M&S with an enforcement notice, which orders the organisation to ensure all laptop hard drives are fully encrypted by this April. Failure to comply with this order is a criminal offence, the ICO warned.

"It is essential that before a company allows personal information to leave its premises on a laptop, there are adequate security procedures in place to protect personal information, for example, password protection and encryption," said Mick Gorrill, assistant commissioner at the ICO.

"Organisations which process personal information must ensure that information is secure – this is an important principle of the act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers."