Simon Says – Musings of a Technology CTO

Following on from my recent posts regarding fines and the cost of data leakage (TJX and Cornell), I thought I’d also bring to your attention the latest initiated by the FSA (Financial Services Authority of UK) against HSBC – On 22nd July A tidy penalty of £4,550,000 ($7.5m) for two failures to protect personal information. HSBC will get a nice 30% discount on this for early payment, leaving them with a bill for £3,185,000 ($5.26m) plus their own internal costs.

The failures in summary were:

1. In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers.

2. In February 2008 HSBC Life lost an unencrypted CD containing the details of 180,000 policy holders in the post.

The FSA also fined HSBC Insurance Brokers for failures to implement measures to protect said data according to section 206 of the Financial Services and Markets Act 2000, for failures to adhere to Principal 3 of the FSA’s “Principals for Business”

Principle 3 – Management and control

A firm must organise and control its affairs effectively.
This will include:
a) having directors and senior managers who are all fit and proper for their roles, and operating adequate arrangements for securing the suitability of persons who carry out functions on its behalf;

b) apportioning responsibilities among its senior managers and directors in such a way that

• their individual responsibilities are clear; and
• the business and affairs of the firm are adequately monitored and controlled at senior management and board level;

c) operating robust arrangements for meeting the standards and requirements of the regulatory system, and for guarding against involvement in market abuse or financial crime (including the detection and prevention of money laundering); and

d) keeping adequate and orderly records of its business and internal organisation.

The official summary of this is:

FSA Principle 3 states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

This final penalty is interesting because it’s a fine based on a failure of business practice, not a fine for actually exposing any ones data – this is a true demonstration of the teeth that the FSA have in the UK.

In the last four years, the FSA has fined Capita Financial Administrators £300,000; Nationwide £980,000; BNP Paribas Private Bank £350,000; Norwich Union £1,260,000; and Merchant Securities £77,000 for failings relating to data security lapses and fraud.