Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees.
M&S says it has already begun encrypting laptops
The Information Commissioner's Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted.
The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008.
M&S said it would do everything it could to comply with the ICO order.
The stolen laptop contained details on the pension arrangements of M&S staff.
"It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption," said Mick Gorrill, assistant commissioner at the ICO.
An M&S spokeswoman said the retailer had not been expecting the ruling and had already been working with the regulator to remedy the problem.
She added that no employees had reported problems resulting from the loss of the data contained in the laptop, which was stolen in April 2007.
M&S said it had already begun encrypting laptops.
Failure to comply with the enforcement order is a criminal offence, the ICO said.