"Double-jeopardy" threat for banks

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.

"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."

HSBC businesses fail to protect customer information

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.

Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

Firms fail to comply with data protection standards

In the fight against fraud, so much emphasis is placed on monitoring of individual transactions, that often firms forget about getting the basics right. Protecting confidential customer data is essential in the fight against fraud, yet companies continue to fail to adhere to data protection standards.

According to a survey published by BSI, the UK's National Standards Body, almost one in five businesses breached the Data Protection Act (DPA) on one or more occasions - many without even realising it. This could be because they failed to hold information securely, illegally transferred information to a third party or neglected other legal obligations.

Tim Thompson, UK Managing Director at 41st Parameter, says the cost of fraud is often thought of in terms of how much money is stolen, however, he says this is too much of a short-term view. "Now, more so than ever, organised 'fraud rings' are cashing in on an underground economy, which deals in stolen personal information."

Thompson said the BSI survey highlighted the fact that 65% of businesses provide no data protection training for their staff. Almost half of firms indicated that there was no one in their business with specific responsibility for data protection and 18% of businesses said that data protection was less of a priority in the current economic climate.

The latter is alarming given that fraud is reportedly on the rise in the current recession. Can firms afford to lose not only millions through fraud, but also a tarnished reputation with their customers, if they continue to take a lackadaisical approach to data protection?

"If a company is hit by a security breach and data is taken, not only is it highly likely that it will be hit with fraudulent actions, its reputation will quickly become tarnished, and new and existing customers will take their business elsewhere," says Thompson of 41st Parameter.