Kent Solicitors

The Financial Services Authority (FSA) has recently fined (August 2009) three HSBC firms over 3 million pounds for failing to comply with FSA data security requirements.

The FSA found that the firms did not have adequate systems and controls in place to protect their customers confidential details from being lost or stolen. Despite warnings, a catalogue of errors occurred, including the loss of an unencrypted CD containing the details of 180,000 policyholders and sending large amounts of unencrypted customer details via Royal Mail.
Further breaches included storing confidential information on open shelves or in unlocked cabinets and not giving staff sufficient training on how to identify and manage risks like identity theft.

The FSA fines would have been around a third more, had the HSBC companies not settled with the FSA at an early stage.

Companies need to factor the cost of managing and cooperating with an FSA investigation into their running costs.

Finally, the possibility of customers bringing civil claims should they suffer an alleged loss could be an additional substantial cost.

What should I do about Data Protection?

Companies can protect themselves by making basic initial enquiries about their security procedures. For instance:

Is it under lock and key or on open shelves?

Where is your hard copy information kept and is there back-up for it?

Can information be freely downloaded to portable devices?

Are staff regularly trained on identifying and managing data risks?

Is encryption routinely used on electronic equipment and recording devices?

Is training required for encryption?

Labels: Data Protection procedures, encryption, security