HSBC fined £3 million by FSA over data security

disc

Three HSBC firms have been fined more than 3 million by the Financial Services Authority (FSA) for failing to secure customer data.

The FSA claimed the three firms sent large amounts of unencrypted data - often on discs sent via the post - and staff were untrained on the issue of identity theft.

The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders - also in the post.

In 2007, HSBC's own compliance team warned all three firms to shape up, but clearly the message didn't get through.

Margaret Cole, director of enforcement at the FSA, called the breaches "disappointing."

"All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals," she said in a statement.

"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details."

She warned other firms to learn from HSBC's example or face fines. "In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry."

HSBC Life was fined 1,610,000, HSBC Actuaries was fined 875,000, and HSBC Insurance Brokers was fined 700,000. All three firms agreed to early settlements, so the fines are actually a 30 per cent discount on what they could have been.

Fixing the problem

Clive Bannister, group managing director of HSBC Insurance, stressed that no customers had been hurt by the breaches. "While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence," he said in a statement.

"We have implemented even more rigorous systems, better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy," he added.

The FSA agreed that the three firms had taken "remedial" action to deal with the breaches, alerting customers to the lost data, increasing staff training, and encrypting data.

Bannister added that 33,500 staff had since been trained in data security, while HSBC was running a business-wide awareness campaign. He also said that the downloading data to portable devices was now "restricted."

It's not the first big data breach fine from the FSA - it fined Norwich Union Life 1.26 million in 2007.

Indeed, the financial sector faces bigger sanctions than most when it comes to data security, because the FSA can issue fines. The Information Commissioner's Office, which polices the rest of UK organisations on data issues, can not yet issue fines, despite being approved by the government last year to do so.

Click here for the data breach lessons we all should have learned by now.