When the Information Commissioner’s Office got wind of a Nationwide employee’s loss of a laptop with some of an 11 million strong customer list on board, it asked the FSA to use its sharper teeth. With the same happen to Halifax B.S. after reporting data loss? Paul Anning reports.
Who: Nationwide BS, Halifax BS and the Financial Services Authority
When: February 2007
A Nationwide laptop containing confidential customer information is stolen from the house of a Nationwide employee in August 2006, there is no evidence of any unauthorised access to, or misuse of, that information, and yet within six months the FSA has fined Nationwide £980,000! Why?
The FSA's action is based solely on Nationwide's breach of the FSA's Principles for Businesses – Principle 3: Management and control:
"A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems".
Specifically, Nationwide did not take reasonable care to ensure that it had effective systems and controls to manage the risk relating to information security, specifically the risk that customer information might be lost or stolen. And the FSA clearly takes the view that the potential impact on consumers from such failure is very high.
The FSA's formal Final Notice is instructive as to specific failures identified. These include the following:
- while Nationwide's practice is to separate customer information across systems, it had failed adequately to consider wider risks to customer information from its systems being compromised;
- Nationwide did not manage or monitor downloads of very large amounts of data onto portable storage devices;
- its information security procedures were unwieldy in that they were: not housed in a single document; too broad in the range of procedures covered; poorly structured (with no signposting or search facility); contained inconsistencies; lacked prioritisation (with no prominence given to critical steps); and did not clearly distinguish between mandatory requirements and best practice guidelines;
- there was no job specific training – staff self-certified that they had read and understood the procedures; and
- there was no procedure to investigate the extent of the information contained on the laptop, and thus assess the potential impact of the theft and act accordingly.
Why this matters:
The FSA makes much of its November 2004 report: "Countering Financial Crime Risks in Information Security", saying this, various speeches and other publications and heightened awareness of information security risks generally mean that Nationwide should have enhanced its procedures. So much so, that the penalty covers the period from 1 December 2004, notwithstanding that the theft only occurred in August 2006!
From a regulatory lawyer's perspective, the action is notable for three reasons:
- the speed of the FSA's action – six months only from notification to the FSA of the laptop's theft;
- the size of the fine – it would have been £1.4 million but for the 30% (stage 1) discount under the FSA's executive settlement procedures; and
- the basis of the fine – a breach of Principle only: no specific rule breaches are specified in the Final Notice!
It will be interesting to see how the FSA progresses this specific concern with information security risk during 2007. And especially vis-à-vis Halifax, following the disclosure in early March that a briefcase containing details of some 13,000 mortgage customers had been stolen from an employee's locked car.