Data security breaches: more penalties

The Financial Services Authority (FSA) has imposed its heaviest fine to-date in relation to data security failures by a financial organisation.

The financial penalty of over £3million (reduced from £4.5 million due to co-operation with the regulator) related to breaches involving three HSBC Bank subsidiaries (HSBC Life, HSBC Actuaries and HSBC Insurance Brokers) that managed to lose customer data in separate incidents.

27 July 2009

The Financial Services Authority (FSA) has imposed its heaviest fine to-date in relation to data security failures by a financial organisation.

The financial penalty of over £3million (reduced from £4.5 million due to co-operation with the regulator) related to breaches involving three HSBC Bank subsidiaries (HSBC Life, HSBC Actuaries and HSBC Insurance Brokers) that managed to lose customer data in separate incidents.

FSA Principle 3 states that regulated firms must take reasonable care to organise and control their affairs responsibly and effectively with adequate risk management systems.

The HSBC businesses involved were deemed to have breached their obligations under FSA Regulations by failing to adequately protect their customer's confidential details from being lost or stolen. It was revealed that among the breaches, data of 1,917 pension scheme members (including addresses, date of birth and NI numbers) were lost on an unencrypted floppy disk sent through the post by HSBC Actuaries. HSBC Life also lost an unencrypted CD containing the details of 180,000 policyholders. The lapses occurred despite HSBC's own compliance team previously issuing a warning to the subsidiaries about the need for robust data security controls.

This latest FSA action follows previous fines imposed on Nationwide Building Society (£980,000), BNP Paribas (£350,000) and Norwich Union (£1.26million) for lax data security. It is clear that the FSA is keen to make examples of authorised firms which it feels have not met its stated security requirements.

On a separate issue, the Information Commissioner (IC) who is due to acquire new powers under the Data Protection Act to impose fines on financial and non-financial sector organisations in relation to deliberate or reckless breaches of data security has revealed that these sanctions (included in the Criminal Justice and Immigration Act in 2008) are finally expected to come into effect in April 2010. At the same time, the level of financial penalty that the IC will be able to impose has still to be decided.