Big fines for data protection disasters | 11 August 09

COMPANIES which don’t keep a close eye on customers’ data face the prospect of taking a significant financial hit after banking giant HSBC was slapped with more than £3m of fines.

Law firm Ward Hadaway says the penalties handed out by the Financial Services Authority to HSBC Life, HSBC Actuaries and HSBC Insurance Brokers indicate how seriously the authorities take the issue of protecting confidential details – and why businesses should make sure their processes are in order.

In its investigation into the firms, the FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties.

Confidential information about customers was also discovered to have been left on open shelves or in unlocked cabinets and could have been lost or stolen.

In addition, staff were found not to have been given sufficient training on how to identify and manage risks like identity theft.

As a result of its findings, the FSA fined HSBC Life UK Limited £1,610,000; HSBC Actuaries and Consultants Limited £875,000 and HSBC Insurance Brokers Limited £700,000.

The watchdog said the penalties – the largest to date in the UK - would have been even larger if all three firms had not cooperated fully with the investigation and agreed to settle at an early stage.

Margaret Cole, director of enforcement at the FSA, said: “All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals.

“It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details.

“In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry.”

The FSA says that the firms have since taken a number of remedial actions to address the concerns raised, including contacting the customers concerned, improving their staff training and requiring that all electronic data in transit is encrypted.

Judy Baker, partner in the IT team at law firm Ward Hadaway and an expert on data protection issues, said the case showed that regulatory bodies were serious when it came to investigating and enforcing data protection rules.

Judy said: “These are significant financial penalties, even for companies of the size of these HSBC businesses, and are a sign of the way that careless handling of personal data will not be tolerated by the authorities.

“This case sends out a clear message and organisations would do well to implement a review of their data protection safeguards to ensure they are as secure as possible.

“While these fines were imposed by the FSA, which regulates UK banks and financial institutions, other organisations face the prospect of fines under plans to allow the Information Commissioner’s Office to impose monetary penalties for serious breaches of the Data Protection Act.

“While this has not yet come into effect, it is only a matter of time before it does.”

Ward Hadaway advises a range of bodies on data protection issues and on ways they can minimise the danger of breaches, which now have the power to cause financial harm, not just embarrassment and reputational damage.

* Find out more about our data protection and IT services.