The Financial Services Authority has considerably increased the stakes in its efforts to get the organisations it regulates to take data security seriously. This week it fined banking giant, HSBC, a whopping £3.2 million, for losing the personal details of more than 180,000 customers in the post.
This is the largest fine ever imposed by the FSA in respect of data security breaches. It considerably exceeds its previous biggest fine of £1.3 million, imposed on Norwich Union in 2007, and illustrates the increasing importance placed on data security by the FSA.
The FSA held that three of the bank’s units, HSBC Life, HSBC Actuaries and HSBC Insurance Brokers had failed to put in place adequate systems and controls to protect customers’ details from loss or theft.
In April 2007, HSBC Actuaries lost a disc containing data on 2000 pension scheme members.
In February 2008, HSBC Life lost a CD containing the personal details of 180,000 policy-holders. The disk was unencrypted and was sent by unrecorded delivery. It contained details such as names, ages, sex, dates of birth and policy numbers.
The breaches occurred at a time when there had been several high-profile data security breaches, such as the loss by HMRC of unencrypted computer disks. The regulator expressed concern that the “increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect customers’ details.”
To confound the situation, the FSA found that HSBC had been “careless” with personal data which as a result “could have ended up in the hands of criminals”.
Confidential information about customers was left on open shelves and in unlocked cabinets, and customer data, such as bank account details was routinely disposed of as regular waste paper. Papers containing personal details were left open in sacks in the head office reception area, awaiting refuse collection.
This ruling is of significance to all organisations, not just those regulated by the FSA. The Information Commissioner (ICO) has recently been granted new powers to fine organisations for serious breaches of the Data Protection Act 1998. However, those powers will not come into force until the ICO has reached an agreement with the Government as to the level of fines which can be imposed.
If the ICO has its way, it will obtain the power to fine organisations at comparable levels to the FSA. This would considerably raise the profile of data security for all organisations, not those that are regulated by the FSA.
No organisation can completely safeguard itself against a security breach resulting from human error. However, simple measures can be put in place in every organisation to minimise the risk of it being found guilty of a security breach of this magnitude.