Kudos to the United Kingdom and their Financial Services Authority (FSA).  The FSA is an independent body that regulates the financial services industry in the UK.  They have been given a wide range of rule-making, investigatory and enforcement powers and they just fined three HSBC firms more than £3m for failing to adequately protect customers’ confidential details from being lost or stolen.

HSBC and unencrypted data

These fines are not for a small or one time incident – but for ongoing failure to ensure the security of confidential data.  Just look at this list of issues.

• “Large amounts” of unencrypted customer details had been sent via post or courier to third parties.
• Confidential information about customers was also found left on open shelves or in unlocked cabinets
• In April 2007, HSBC Actuaries lost a floppy disk containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.
• In February 2008, HSBC Life lost a CD containing the details of 180,000 policyholders.

It should come as no surprise that the FSA found that HSBC staff had not been given sufficient training on how to identify and manage risks such as identity theft.  The firms have taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

Financial Services Authority and Data Safety

Unfortunately this is not a unique step as in the last four years, the FSA has fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.

Fortunately, the FSA has been empowered to take action!  Highlighting the teeth that the FSA has been given, the three HSBC firms agreed to settle at an early stage of the FSA’s investigation and therefore received a 30% discount.  They could have been fined another £1,500,000!

All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals – Margaret Cole, Financial Services Authority

FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.  HSBC obviously failed to met this standard and Clive Bannister, group managing director of HSBC Insurance, said: “We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret.

The FSA is asking for even more opportunities to impact companies that are lax with security protocols.  They want to ensure that fines better reflect the scale of the wrongdoing and that any profits made from the breaches are reduced.  Under the new proposals, fines will be linked more closely to income:

• Up to 20% of the company’s income from the product or business area linked to the breach over the relevant period
• Up to 40% of an individual’s salary and benefits (including bonuses) from their job relating to the breach

Now, maybe if more regulatory agencies around the world took action like the FSA we would actually see a world where data is actually safer and companies are routinely encrypting their drives.

• Previous Entry: Accountants, HR Staff and No Encryption – Oh My!
• Next Entry: UPS – Big Brown Encrypts All Laptops