The data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted.
The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008.
Failure to comply with the enforcement order is a criminal offence, the ICO said, adding: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.”
Last year the Information Commissioner warned that companies which lost personal data on unencrypted laptops would be treated as criminally negligent, even when such thefts took place from employees’ homes.
Making companies vicariously liable for the data loss actions of their contractors is an alarm call that should have security managers sleeping very uneasily!