PL&B UK E-news, Issue 92

1. FSA fines HSBC over £3m for data loss

The Financial Services Authority (FSA) has today announced that it has fined three HSBC firms over £3 million for not having adequate DP systems and controls in place.

The FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff members were not given sufficient training on how to identify and manage risks like identity theft.

These failings resulted in customer data being lost. In April 2007, HSBC Actuaries lost an unencrypted floppy disk in the post, containing the personal information of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers. In July 2007, all three firms were warned by HSBC Group Insurance’s compliance team about the need for robust data security controls. In February 2008 HSBC Life lost in the post an unencrypted CD containing the details of 180,000 policy holders.

HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

Margaret Cole, director of enforcement at the FSA, said:

The confidential information on both disks could have helped criminals to steal customers’ identities and commit financial crime.

"These breaches are very disappointing. All three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals. It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers' details.

“Fraud, particularly identity theft, is a major concern to everyone and firms must ensure that their data security systems and controls are constantly reviewed and updated to tackle this growing threat.
“In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry.”

All three firms cooperated fully with the FSA in the course of its investigation, and agreed to settle early, thereby qualifying for a 30% discount on their fines.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2009