On February 14, the UK Financial Services Authority announced that it had fined Nationwide Building Society £980,000 (approx. $1.9 million) for a breach of FSA’s Principle 3 (Systems and Controls) by failing adequately to assess the risks relating to information security and take reasonable care to ensure that it had adequate procedures to manage those risks, including the risks that electronic equipment containing customer information might be lost or stolen. Further, Nationwide had inadequate controls in place to ensure that its procedures would be followed. The Principle which Nationwide was held to have breached provides that “A firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems.”
Nationwide is the UK's largest building society (broadly equivalent to a U.S. savings and loan association). It has over 11 million customers. In August 2006 a company laptop was stolen from the home of a Nationwide employee. The laptop contained confidential customer information which the FSA concluded could have been used to further financial crime. The FSA’s November 2004 Information Security Report Countering Financial Crime Risks in Information Security specifically highlighted the need for firms to have incident management procedures commensurate with the size of their operations.
The FSA found that Nationwide's failure to implement robust systems and controls regarding the use and storage of customer information on portable storage devices potentially put its customers at an increased risk of being victims of financial crime in the event of loss or misuse of the data. Although Nationwide reported the loss of the laptop to the police, the Information Commissioner, and to the FSA, the FSA concluded that Nationwide's failure to respond quickly and appropriately in the first three weeks following the theft of the laptop in this case increased the opportunity for the information to be used in a way which might result in financial crime.
The FSA’s findings included the following:
Nationwide failed adequately to consider the wider risks to customer information from Nationwide systems being compromised and, as a result, it failed to put in place appropriate controls and monitoring mechanisms to mitigate these risks. The failure to manage or monitor downloads of very large amounts of data onto portable storage devices meant that Nationwide had limited control over information held in this way or how it was used, increasing the risk that it could be used to further financial crime.
Nationwide’s systems and controls were such that, when the laptop was stolen, Nationwide was not aware that it contained confidential customer information. For a period of three weeks after the theft of the laptop Nationwide failed to take any steps to investigate whether it contained such information.
The cumulative impact of the failings represented a significant risk to the FSA objective of reducing the extent to which it is possible for regulated firms to be used for a purpose connected with financial crime In particular Nationwide:
- failed adequately to assess the risks in relation to the security of customer information;
- had procedures in relation to information security which failed adequately and effectively to manage the risks it faced;
- failed to implement adequate training and monitoring to ensure that its information security procedures were disseminated and understood by staff;
- failed to implement adequate controls to mitigate information security risks, to ensure that employees adhered to its procedures and to ensure that it provided an appropriate level of information security; and
- failed to have appropriate procedures in place to deal with an incident involving the loss of customer information and, as a result, Nationwide did not respond appropriately and in a timely manner to establish the risks to its customers of financial crime arising from the theft of the laptop.
By agreeing to settle at an early stage of the FSA's investigation, Nationwide qualified for a 30% discount under the FSA's executive settlement procedures. Without that discount the fine would have been £1.4 million (approx. $2.7 million)