UK financial services businesses should be examining their information security procedures carefully following Nationwide Building Society being slapped with a hefty fine for inadequate data security.
The Financial Services Authority (FSA), using powers under the Financial Services and Markets Act 2000 (FSMA), imposed a penalty of just under £1 million on Nationwide for failure to take "reasonable care" to organise its systems to effectively manage information security.
The decision follows an official investigation of events surrounding theft of a laptop from a Nationwide employee's home in August 2006. This computer contained details of around 11 million account holders and although corresponding PIN codes and passwords were not included, the FSA ruled that customers were still exposed to an unacceptable risk of financial crime.
While the size of the fine (thought to be the UK's largest ever for such a security breach) will undoubtedly raise eyebrows, this case also highlights the dangers for organisations that have implemented what they think are comprehensive security measures.
In this case Nationwide had clearly adopted a number of precautions (some of which were in light of previous FSA guidance) but according to the regulator, had still failed to take sufficient care to assess the dangers or implement effective risk management processes. In particular, the FSA criticised: security procedures for staff in an "unwieldy" format over a corporate intranet which failed to prioritise critical issues; generic staff sign-off and training that was not job specific; and failure to ensure staff actually followed procedures. In addition, a three-week delay by Nationwide in following up the theft to see what data had been taken and inadequate incident management procedures were ruled to have increased the risk of financial crime.
The Nationwide scenario also illustrates how a seemingly commonplace incident can develop into a time consuming, legal headache for the business concerned. The reasons why individuals are allowed to take confidential information out of the office are varied although the intentions are rarely clandestine – usually this is simply to enable the employee to work from home or when traveling. The FSA notes advances in data storage and low-cost portable technology that have given staff and contractors the technical means (at least in theory) to download vast amounts of sensitive information with relative ease. Whilst laptops, Blackberries, MP3 players, smart phones and USB drives have brought undoubted benefits, businesses also need to be mindful of the consequences of devices being on walkabout from the office. Sometimes there is little control or awareness of what is being accessed and data may lack even the most basic password protection. The convenience of portability is also usually coupled with vulnerability to petty theft or a gadget simply being left in the pub, train or taxi.
The FSA says that it wants to send a "clear, strong message to all firms about the importance of information security". The £980,000 fine (reduced from £1.4 million due to early settlement) will almost certainly do that. What is also clear is that even the best-intentioned organisation dealing with sensitive customer information cannot get away with simply drafting an information security policy unless it also fully considers its effective and practical application going forward. To do anything else is a hazardous and now, it would seem, potentially costly strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
