In February the Financial Services Authority (FSA) issued a Final Notice to Nationwide Building Society (Nationwide) regarding enforcement action taken in relation to a data security breach. The Final Notice detailed the reasons why the FSA was imposing a financial penalty on Nationwide of £980,000, a discounted sum from the original £1,400,000 penalty proposed. The Final Notice is available to read on the FSA's website.

The Facts

In August 2006 a Nationwide laptop was stolen from the home of an employee, and the theft promptly reported. Upon notification of the theft Nationwide disabled the remote access facility for that laptop preventing access to Nationwide's live systems. What was not reported, or even known by Nationwide, was the amount of confidential customer data that was held on the laptop. Following the theft, there was a period of 3 weeks in which no further action was taken by Nationwide, as the employee was on leave. It was only after the employee returned that the extent of the data was investigated by Nationwide, and when it learned that the laptop had contained confidential customer information the theft was reported to the FSA and the Information Commissioner.

The Breaches

The FSA was clear in its decision that it did not expect Nationwide to be able to prevent the theft, however it found that the breaches lay in the lack of controls that Nationwide had in place to establish and reduce the risks to its customers as a result of such thefts. The FSA found that these failures amounted to a breach of Principle 3 of the FSA's Principles of Business "to organise and control its affairs responsibly and effectively with adequate risk management systems" to which every regulated financial services entity is required to adhere.

In particular the FSA noted that Nationwide didn't have sufficient controls in place to monitor the amount of customer data that was downloaded onto the laptop. This meant that Nationwide was unaware of the risks to its customers that the theft posed. Furthermore, upon learning of the theft, Nationwide did not have procedures in place to establish the level of risk to its customers that the theft posed.

The FSA also noted that although Nationwide did have some procedures in place, it had not trained its staff adequately or carefully enough to ensure that those procedures were adhered to, and as a result those procedures failed to manage the risk its customers faced.

The FSA did recognise that some of Nationwide's procedures did serve to reduce the severity of the incident somewhat, including increased customer account security and disabling the remote access from the stolen laptop once notified of the theft. The FSA did comment however that Nationwide's measures on customer account security focussed on anti-fraud measures and anti-money laundering measures and didn't take into account the risk of loss of customer data. This the FSA felt was inexcusable in light of the Nationwide's position as the largest building society in the UK, and given the current media attention given to information security and identity theft. The FSA also mentioned its own report "Countering Financial Crime Risks in Information Security" which was published in November 2004 and dealt with the issues of data security in particular.

Conclusion

The breaches addressed by the FSA's Final Notice would also probably be considered breaches of the Seventh Principle of the Data Protection Act 1998 which addresses the requirement for organisations to employ appropriate technical and organisational security measures to protect personal data. The Information Commissioner's statutory enforcement powers are however notoriously weak, and as such this action by the FSA is even more significant by comparison. It sends a clear message to all financial services organisations that both the FSA and Information Commissioner have jurisdiction over data security matters, and will review the practical processes that companies have in place to consider whether they are adequate for the security of the data in question. This Final Notice will also be of interest to non-financial services organisations because it provides a fair amount of detail about what the FSA considered to be inadequate in Nationwide's processes and what steps the FSA was looking for Nationwide to take to remedy the breaches. This guidance is of use to any organisation looking to address the complex issues of data security and information management.