PL&B UK E-news, Issue 54

1. FSA fines Nationwide £980,000 for lapse in data security and warns other firms

The Financial Services Authority (FSA) fined the Nationwide Building Society, (the UK’s largest mutual home loans organisation), on 14th February, nearly one million pounds for losing a laptop that contained customer data. This is the first time that the FSA has fined an organisation for data security failings.

The FSA investigation found that the building society did not have adequate information security procedures and controls in place. It was found to be in breach of the FSA Principle 3, which states that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. A further reason given by the FSA was that the firm “failed to implement adequate training and monitoring to ensure that its information security procedures were disseminated and understood by staff.” The Data Protection Act has similar requirements.

By co-operating fully, and agreeing to settle at an early stage, Nationwide qualified for a 30% reduction of the fine. The building society has written to all its members apologizing for the incident, and is now looking to increase its security policy. There will also be a comprehensive review of information security procedures and controls.

In view of this decision, businesses regulated by the FSA will now urgently need to reassess their data protection and data security risks and training programmes.

A fuller analysis will be published in the PL&B International Newsletter to be published next week and in the UK Newsletter, to be published in April.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2007