"Double-jeopardy" threat for banks

A regulatory partner at a London law firm has labeled the £3.2million fine the Financial Services Authority imposed on HSBC as unprecedented and draconian.

Yesterday, I wrote about HSBC being fined by the FSA for failing to adequately protect customer data by not encrypting computer discs containing personal information and for failing to keep personal paper files on site under lock and key. RPC partner, Jonathan Davies said fining HSBC for the latter was draconian. He said the £3.2 million fine was much more substantial than that imposed on Nationwide Building Society for similar failures back in 2007.

Back in 2007, the FSA imposed a £980,000 fine on Nationwide for ineffective information security controls following theft of a laptop from a Nationwide employee's home. "You can see that fines for financial services companies have undergone massive inflation as the FSA has instituted its get tough policy in response to the credit crunch,” said Davies.

Given the pubic backlash against data leakages and the increased threat of customer details being used for fraudulent purposes, particularly in difficult economic times, the hefty fine the FSA imposed on HSBC should come as no surprise even though it may be unprecedented.

Regulators are taking an increasingly dim and no-nonsense view of banks that fail to protect customer data and as banks trade on their reputation as trusted third parties, how can consumers take them seriously when banks fail to adequately protect customer data?

Banks could be in even more hot water from next year as in addition to FSA-imposed fines, the UK's Information Commissioner will also have the power to impose fines on companies for data breaches.

"When the Information Commissioner gains this power next year, any FSA-regulated firm may well be subject to “double jeopardy” fines for data protection breaches," said Oliver Bray, a partner at RPC specializing in data protection. "One careless mistake by a regulated firm could expose it to fines from both the Information Commissioner and the FSA. From a wider perspective, all businesses should be concerned that the Information Commissioner may be encouraged by this case to apply similar levels of fines when he starts flexing his new muscles next year."

HSBC businesses fail to protect customer information

We have all heard the horror stories of customers' confidential personal and account information being accidentally misplaced or stored on unencrypted discs by thoughtless employees in both public and private sector companies.

At the public level, Her Majesty's Revenue & Customs made one of the biggest gaffes when two CDs containing the personal details of 25 million customers goes missing. The HMRC was not fined but its boss Paul Gray quit over the missing discs.

However, in the private sector, the penalties for failing to adequately protect customer data are more severe, which is borne out by the £3 million fine the Financial Services Authority (FSA) in the UK has imposed on HSBC following a series of incidences in 2007 and 2008 regarding three of its businesses; Life UK, Actuaries & Consultants and Insurance Brokers.

Back in 2007, Citywire reports that HSBC Actuaries lost an unencrypted disk containing personal information, including national insurance numbers of approximately 2,000 pension scheme members. In February 2008, HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders.

The FSA said despite increasing awareness of the need to protect people's confidential details, all three firms failed to put in place adequate procedures to manage their financial crime risks.

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details," stated Margaret Cole, director of enforcement at the FSA.

Cole said that in areas where the FSA had previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry. But will fines be enough, as despite previous hefty fines, data leakage and firms' failure to encrypt confidential customer information remains a major problem. When protecting customer information is as simple as encrypting information stored on discs, why do firms remain non-compliant?

Firms fail to comply with data protection standards

In the fight against fraud, so much emphasis is placed on monitoring of individual transactions, that often firms forget about getting the basics right. Protecting confidential customer data is essential in the fight against fraud, yet companies continue to fail to adhere to data protection standards.

According to a survey published by BSI, the UK's National Standards Body, almost one in five businesses breached the Data Protection Act (DPA) on one or more occasions - many without even realising it. This could be because they failed to hold information securely, illegally transferred information to a third party or neglected other legal obligations.

Tim Thompson, UK Managing Director at 41st Parameter, says the cost of fraud is often thought of in terms of how much money is stolen, however, he says this is too much of a short-term view. "Now, more so than ever, organised 'fraud rings' are cashing in on an underground economy, which deals in stolen personal information."

Thompson said the BSI survey highlighted the fact that 65% of businesses provide no data protection training for their staff. Almost half of firms indicated that there was no one in their business with specific responsibility for data protection and 18% of businesses said that data protection was less of a priority in the current economic climate.

The latter is alarming given that fraud is reportedly on the rise in the current recession. Can firms afford to lose not only millions through fraud, but also a tarnished reputation with their customers, if they continue to take a lackadaisical approach to data protection?

"If a company is hit by a security breach and data is taken, not only is it highly likely that it will be hit with fraudulent actions, its reputation will quickly become tarnished, and new and existing customers will take their business elsewhere," says Thompson of 41st Parameter.

Bank sues auditor over losses resulting from card data breach

An interesting test case involving a US bank suing an auditor, which it claims was negligent in certifying a payment processing company, is believed to be the first case of its kind and could set a precedent for other cases to follow.

Merchant acquiring bank, Merrick Bank, based in Utah is suing auditor, Savvis Inc., claiming that it lost $16 million as a result of fraud, fines and other costs related to a 2004 data breach at payments processing provider, CardSystems, which resulted in hackers stealing 263,000 card numbers.

Merrick says its losses stemmed from having to pay Visa and MasterCard to reimburse their issuers from the breach-related fraud, as well as other costs including legal fees. Prior to the data breach, Savvis, had carried out an audit of CardSystems. Merchant Bank now claims that report was "false and misleading" and that Savvis "failed to use reasonable care and competence in representing that CardSystems was CISP-compliant when it fact it was not.”

The Cardholder Information Security Program (CISP) preceded the PCI-DSS standard for securely storing card data. One of the basic requirements of card data security is that the data should be encrypted.

Data security standards - A toothless tiger?

Some alarming statistics have been published by Verizon regarding data breaches. According to the 2009 Verizon Business Data Breach Investigations Report, more electronic records were breached in 2008 than in the previous four years combined, and banks were the worst culprits for compromising records.

The report says that the financial sector accounted for 93% of the 285 million records compromised during 2008 and that 90% of the records breached were reportedly targeted by groups involved in organised crime.

Interestingly, most (74%) of the data breaches were from external parties, and only 20% were caused by insiders. So the biggest threat to confidential customer data still appears to come from external hackers hacking into servers and applications online. Financial service providers are doing nowhere near enough to secure customer data, including implementing basic forms of protection such as data encryption.

The credit card companies introduced the PCI-DSS (Payment Card Industry Data Security Standard) standard which includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures for securing credit card data. The standard includes basic requirements such as implementing a firewall, and encrypting the transmission of cardholder data across open networks.

However, according to Verizon's report, 81% of affected organisations subject to PCI-DSS were non-compliant prior to being breached. Firms that fail to comply with PCI-DSS risk losing their merchant account, and could be subject to fines, lawsuits and bad publicity, as in the case of TJX in the US, which suffered the largest known data breach to date when hackers stole 45.7 million credit and debit card numbers, as well as personal data, including driver's license numbers of another 455,000 customers.

TJX did not comply with PCI-DSS as cardholder data was unencrypted. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or losing the ability to process credit card transactions. But if Verizon's stats are anything to go by, PCI-DSS appears to be somewhat of a 'toothless tiger' in terms of forcing companies to implement even the most basic of data security measures.

It begs the question, why aren't companies encrypting data? Is it a cost factor, a technology issue (what form of encryption to use) or just plain ignorance? Certainly the reputational implications, as evidenced by TJX, outweigh the upfront costs of securing and encrypting customer data.

Banks could do more to protect customer data

As more fraudsters take over customer bank accounts, a company that shreds confidential information says banks need to do more in terms of safeguarding confidential material and educating customers about the risks of fraud.

According to CIFAS, the UK’s fraud prevention service, in 2008 there was a 207% rise in facility takeover fraud, whereby "scammers" intercept bank statements, credit card bills, receipts and account slips so that they can take over bank accounts that belong to other people.

Interestingly, while banks appear to have done considerable work in terms of implementing internal systems to detect fraud, sending credit card or account statements and PIN numbers by post to customers is hardly state-of-the-art fraud prevention.

Shred Easy, which collects, destroys and recycles materials including paper and IT equipment, believes more could be done to educate bank customers about fraud and that banks should provide free advice on fraud and identity theft.

There is something to be said for greater customer awareness of what indicators to look out for in order to help prevent and detect fraud earlier. When you open an account with a bank it would be good to receive a pamphlet/brochure on bank account and credit card fraud and tips as to what telltale signs or behaviours customers should look for.

But also banks need to rethink their approach to safeguarding customer data. If they are still sending out paper account statements that can easily be intercepted (instead of say a digitally signed encrypted electronic file) then customer education will only go so far in helping reduce fraud.

Personal data loss an "alarming" problem

High profile instances of accidental leakages of sensitive customer information show no signs of abating. This time last year the media was having a field day with the revelation that the UK's HM Revenue & Customs (HMRC) had lost two discs containing the personal details of 25 million people. According to Symantec, not much has improved since then.

Symantec says an additional nine million personal records have been lost since the HMRC incident by private companies and third party data handlers. The total loss of 34 million people's records means that more than half of the UK's 61 million population have had their data lost in the last year, which when you put it like that sounds alarming.

While UK Prime Minister Gordon Brown has made it abundantly clear that the government cannot guarantee the protection of personal data by bumbling bureaucrats who appear to have a penchant for leaving laptops and USB sticks lying around on trains or in pubs, Symantec's Data Loss Prevention survey, does not show much hope for the private sector either.

Almost half of UK companies surveyed admitted that one or more incidents of data loss had taken place, and another 25% had no strategy for dealing with data loss, which is concerning given the reputational risks and increasingly hefty fines.

Symantec's survey suggests that companies are not taking data protection seriously enough or that they don't know where to start.

It has provided companies with some useful pointers as to measures that can be taken to prevent data loss:

One of the big ones is to educate employees about the importance of data loss avoidance and procedures

Secondly, Symantec recommends "locking down" computers, mobile devices and other removable media using either software or physical locks. The big problem seems to be stopping employees from taking personal information outside the corporate firewall.)

Network access controls should mean that employees can only access "relevant" systems and information.

Data should also be monitored to prevent leakages (although with so much data residing in firms, data classification in terms of which data needs to be secured or classified 'top secret' is an essential first step).