HSBC £3m fine may not be enough

The Financial Services Authority has levied a £3.2 million fine on HSBC following the lost of unencrypted data by three divisions. Despite falling in the same month as the bank announced £3 billion in profits, the high fine is expected to gain attention to data security issues among other organisations.

The fine followed the loss of 180,000 policy holder details by HSBC Life on an unencrypted CD, details of nearly 2,000 pension scheme members by HSBC Actuaries on another disc, and a further data security breach by HSBC Insurance. The compliance team at that division had been warned of the need for robust data controls in July 2007. By co-operating with the FSA investigation, the bank gained a 30 per cent discount on the potential maximum it could have been charged.

Even so, information security expert Alan Calder, chief executive of IT Governance Limited, says: “It seems amazing that an organisation as trusted as a global high street bank should still be caught asleep at the wheel when it comes to personal data protection. The FSA is to be applauded for issuing this fine, because it seems that harsh financial penalties are necessary for board directors to start taking these responsibilities seriously.”

He notes the “fine inflation” following Nationwide’s near £1 million hit two years ago, but believes financial penalties are not enough. “I expect the
FSA will soon have to make good on its threat to personally prosecute directors for such lapses, or else see the issue kicked into the long grass again within months,” says Calder.