Wednesday, 22 July 2009

HSBC businesses fail to protect customer information

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.
"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.
Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

No comments: