Firms are facing a two-pronged attack from the FSA and the Information Commissioner over the steps they take to maintain security of personal data. The two regulators are working together to require the financial services industry to improve the precautions it takes to prevent data loss. Both regulators have brought disciplinary proceedings against firms. In particular, firms who allow data to be held on unencrypted laptops or memory sticks face enforcement proceedings from both the FSA and the Information Commissioner.
It’s happening nationwide
The FSA’s clampdown on lapses in data security began last year with a £980,000 fine imposed on Nationwide Building Society. A laptop was stolen from the home of a Nationwide employee which contained confidential information about customers which could have been used for the purposes of financial crime. Although the theft of the laptop was promptly reported by the employee to Nationwide, it took three weeks before Nationwide investigated what data was held on the laptop. Nationwide was found to have acted in breach of FSA principle 3 which requires firms to take reasonable care to organise and control their affairs responsibly and effectively with adequate risk management systems. The FSA was particularly concerned that the Nationwide had failed to take appropriate steps to prevent financial crime.
Laptops skipping away
In February 2008 the Information Commissioner brought proceedings against Skipton Financial Services, a subsidiary of the Skipton Building Society, after a laptop had been stolen from one of its contractors. The laptop contained personal information about 14,000 customers including names, dates of birth, national insurance numbers and amounts invested. The Information Commissioner required Skipton to give an undertaking that all personal data held on laptop computers must be encrypted. It is notable that the Skipton theft occurred not from its own employee but from the employee of a contractor. This did not reduce Skipton’s responsibility. Indeed, the Information Commissioner required Skipton to undertake risk assessments to ensure the security of data passed to third parties. This case is a salutary reminder that when firms outsource IT or any other functions, they remain responsible for them.
The FSA’s do’s and don’ts
The FSA has now published a detailed paper “Data Security in Financial Services” containing some 100 pages of examples of good and poor practice. Top of the list of prohibitions is that customer data must not be taken offsite on laptops or other portable devices (for example memory sticks) which are not encrypted. Firms breaching this rule can expect to be the subject of enforcement action by both the FSA and the Information Commissioner. The FSA expects firms to have detailed data security policies and there should be a senior manager with overall responsibility for data security. Data security is not just an IT issue but should be an integral part of firm’s risk management procedures.
Staff should be trained on the financial crime risks arising from poor data security. All staff who may have access to data should be vetted. This covers not only professional staff but also, for example, cleaners who have access to areas where personal data may be contained in unlocked filing cabinets or sitting on people’s desks. Staff with no genuine business need should not be allowed to access areas where customer data is held.
Data security is not only an issue for banks and insurers with data bases of millions of customers. Most financial advisors who visit customers in their homes or offices will use a laptop to undertake their fact-finding. That laptop will then contain clients’ personal data and must be encrypted.
Information Commissioner threatens substantial penalties
In a speech on 29 October 2008, the Information Commissioner issued yet another warning of the need for good practice. The Information Commissioner expects, within each organisation, an individual should have responsibility for safe-guarding personal data. This reflects the requirements of the FSA for appropriate apportionment of responsibilities. In his speech, the Information Commissioner viewed data security not as an IT issue but as one of good governance. Firms must put in place appropriate policies and use technology to minimise risks and must ensure there is an appropriate culture of privacy and data security led from the top. The Information Commissioner has also welcomed new powers being given to him by amendments to the Data Protection Act to allow the Information Commissioner to impose substantial penalties for deliberate or reckless breaches of the Act and to undertake inspections and audits of data controllers: “the threat and reality of substantial penalties will concentrate minds and act as a real deterrent”.
Being open about data losses
Principle 11 in the FSA Handbook requires firms to deal with their regulators in an open and co-operative way. This is often viewed as simply an obligation to tell the FSA everything of which it would expect to be notified, but principle 11 applies not only to the FSA but to all regulators. Firms which fail to deal appropriately with the Information Commissioner will be in breach of FSA principle 11.
The Information Commissioner has said that his office should be contacted immediately when any significant breach of the Data Protection Act is discovered. He will expect a risk assessment applying to the particular situation, including steps to reduce the risks to individuals and to the integrity of the organisation’s operation.
The biggest loss
Since HMRC lost two CDs containing the entire child benefit database, it has become clear that losses of personal data are unacceptable to the public. The requirements to notify the FSA and the Information Commissioner, and in most significant cases those affected, mean that losses of personal data will inevitably become public. The reputational damage this is likely to cause may be of more concern to firms than even significant regulatory fines.