Global menu

Our global pages


FSA fines HSBC over £3 million for data security breach

    • Financial services - Briefings and articles


    HSBC Life UK Limited, HSBC Actuaries and Consultants Limited and HSBC Insurance Brokers Limited have been fined £1,610,000, £875,000 and £700,000 respectively by the Financial Services Authority (“FSA”) following an investigation into their customer data security measures. The measures were inadequate and failed to prevent customers’ confidential details against risks including identify theft. The fines would have been £2,300,000, £1,250,000 and £1,000,000 respectively but HSBC cooperated fully and agreed to settle at an early stage of the investigation.

    The FSA’s investigation into the firms’ data security systems and controls highlighted the following. There were inadequate protections to guard against financial crime (including the theft of customer details). A floppy disk and a CD containing unencrypted customer data were sent by post or courier to third parties. Hard copies of confidential customer information were not locked away in cabinets. Staff were insufficiently trained on how to manage data security risks. The firms had previously been warned by HSBC Group about the need for robust data security controls.

    The FSA has said that firms must ensure that their data security systems and controls are constantly reviewed not least in order to guard against identify theft. The FSA has made it clear that in areas where it has warned firms generally about the need to improve their data security measures, they should expect fines to increase in order to deter others and to foster change in the sector.

    The FSA has fined other financial services institutions during the last four years for their failures in respect of information security, including Nationwide (£980,000) and Norwich Union (£1,260,000). The Nationwide breach involved the theft of an unencrypted laptop from an employee’s home. The laptop contained customer data on 11 million account holders. Nationwide had failed to address the risk of theft or loss of customer data; to prepare in advance to deal with such an incident; to start an investigation promptly enough; to train staff adequately and to ensure its data security policies were accessible to staff. Norwich Union’s systems failures allowed fraudsters to access information on 3.3 million customers and to impersonate them in order to obtain sensitive information from call centres.

    HSBC’s breach is a reminder that financial services institutions are subject to a dual layer of data protection regulation. The Information Commissioner’s Office (ICO) oversees and enforces the Data Protection Act 1998 (DPA) and data security is within the remit of Principle 3 of the FSA’s Principles for Business ("a firm must take reasonable care to organise and control its affairs responsibly and effectively, including by putting in place adequate risk management systems"). The FSA has the power to impose higher fines than the ICO but the ICO can require organisations to sign up to binding undertakings and to alter their practices by way of adherence to an enforcement notice. Aside from regulatory action, data security breaches damage a firm’s reputation, particularly with consumers.

    The FSA (Financial Crime and Intelligence Division) published a Data Security report in April 2008. It contained guidance and examples of good and bad practice. Whilst the report does not constitute formal guidance it is clear that compliance with its guidance and good practice is expected. The report stresses the need for encryption of portable devices and any other electronic means of transferring or transporting personal information offsite, coordination between business areas within firms and for control to be exerted over third party suppliers who process personal information on a firm’s behalf. Firms often assume that the contractual obligation to keep personal information secure is being met by their suppliers and they fail to be proactive by checking what happens in practice.

    HSBC has taken remedial action. For example, the relevant customers have been contacted, staff training has improved and electronic data in transit is encrypted. Other measures could minimise the risks of a security breach. These include providing for audit rights in contracts with third party suppliers, having accessible data protection policies available internally and having a rapid reaction plan ready for implementation in the event of a security breach. The ICO has produced useful guidance on the latter:

    Are banks misusing consumer behavioural data?

    Consumer Focus has called for consumers to be better protected against banks sharing their behavioural data between themselves. Earlier this year an initiative headed by the UK Cards Association (formerly Apacs) was launched. It encouraged banks and credit card companies to share information about customers’ behaviour in relation to their card usage. It aimed to guard against credit being offered to individuals in financial difficulty. Outstanding credit card debt in the UK has reached £54.4 billion. However, the concern is that banks are using the information in order to increase their profits. The Chief Executive of Consumer Focus has asked the FSA and/or the ICO to determine whether the sharing of the customer data complies with the relevant code of conduct.

    Data security issues concern financial services firms in particular

    The third edition of the Ponemon Institute’s annual survey has been released. 12 per cent of the 615 organisations surveyed (including public and private sector organisations) suffered 5 data loss incidents during the last year. The public sector and financial services firms are reportedly worst affected by data security issues. The financial services firms surveyed reported an average of 3.11 data loss incidents per year. A significant proportion of firms which claim to be unaffected by data losses point to the fact that they have introduced a company-wide encryption policy.

    Whilst the size of the survey is relatively modest, financial services organisations will no doubt be interested in the focus on encryption not least because of the HSBC fine and remedial action referred to above.

    ICO’s annual report - lending sector is top of the list of complaints

    The ICO has published its annual report for 2008/2009. There are interesting sections about enforcement and complaints. The ICO received approximately 25,500 complaints during the year. Of the top 10 business areas generating the most complaints (where the sector is specified) the lending and direct marketing sectors are first and second respectively. The FSA will no doubt take note of the fact that lenders are first on the list. As explained above, the regulatory function of the FSA and ICO overlap in respect of data protection compliance.

    There is a top 10 list of complaints made by individuals to the ICO. It serves as a useful reminder to organisations about data protection ‘dos and don’ts’. Failure to comply with the obligation to supply individuals with a copy of their personal data when requested (also known as a ‘subject access request’) within the prescribed time limit (40 calendar days) is the most common complaint. Next are complaints about organisations holding inaccurate data contrary to principle 4 of the DPA. Receipt of unsolicited marketing by telephone (automated and live calls), email and SMS are also in the top 10. This is a useful reminder of the regulations which apply to direct marketing. In short, usually opt-in consent must be obtained prior to engaging in electronic direct marketing and individuals must be given the opportunity to opt out of marketing by post.

    Unlawful disclosures of personal data, failing to keep personal data secure and failing to observe an individual’s right to prevent unlawful processing of his personal data are on the list. So too is failure to provide ‘fair processing information’ in accordance with principle 1 of the DPA. This includes the identity of the Data Controller, whether personal information will be transferred to third parties and the purposes for which personal data will be used.

    For a copy of the report go to

    To discuss any of the issues raised in this article please contact:

    John Hull

    Tel 0845 497 4822

    Lorna Doggett

    Tel 0845 497 4698