The Information Commissioner’s Office, the UK privacy watchdog, has this month been given greater powers to levy up to £500,000 in fines for serious breaches of the data protection act.
Its increased powers underline the growing pressure that financial services companies and government departments are under to safeguard the huge amounts of sensitive customer data they hold.
During the past two years the ICO, which protects data on behalf of individuals, has received reports of 818 data security breaches, after customer data have been stolen or gone missing.
In the first four months of this year it has made four local councils, as well as Zurich Insurance and Royal London, the mutual insurer, sign undertakings to take action after data protection act breaches.
The Financial Services Authority, the UK financial regulator, is also taking a keen interest in safeguarding customer data.
In the past five years the FSA has fined five large institutions for not protecting data. Last year it fined three HSBC subsidiaries £3m after the bank lost customer data in the post on two occasions.
Customer data are extremely valuable. If they fall into the wrong hands, fraudsters can clone customer identities and hack into bank accounts. Indeed identity theft is one of the UK’s fastest growing crimes
There are still warnings that companies and public sector bodies are not protecting data as well as they might and that many institutions do not devote enough time to staff training or do regular risk assessments.
Laptop thefts appear to be a particular problem. For example the building society Nationwide, was fined £980,000 by the FSA three years ago for lapses in information security procedures after a laptop containing sensitive customer data was stolen from an employee’s home.
One central issue is how data are stored – whether it is on a static computer network or transferred across networks electronically.
Paul Mee, head of the Strategic IT & Ops practice at Oliver Wyman, the consultancy, says: “If data is not encrypted then it’s at risk. Data are either at rest or in motion. The question for companies is whether data at rest are actually encrypted – if they are not encrypted then the associated operational risk still exists.
“There’s a clear role for the IT and audit departments to stress test these issues. Many institutions think they have well thought through written policies and have data sufficiently well encrypted but they may have not done enough real drills and scenario testing. Very few have,” he says.
“Often risks lie with smaller financial services organisations which may use local server network arrangements and have specialist spreadsheets for, say, portfolio management or pricing. For a small hedge fund for example, it may not be top priority to look at protecting data. However, once data are lost it may be too late.” he adds.
When customer data are stolen or lost, companies have to take a number of steps such as alerting the financial regulator or notifying customers.
They may also have to monitor a customer’s credit file for a period of time, for example, to ensure their identify has not been stolen by fraudsters.
Paul Bantick, senior underwriter at Beazley, the Lloyds of London insurer says that when a company loses data in the US, by law they have to notify customers who have been affected. However outside the US there is often no legal obligation to do so.
He says: “Banks and other financial institutions now have superb IT systems but often IT cannot safeguard companies against loss of data due to human error such as people losing laptops.
“There has also been an increase in rogue employees within companies taking data, either by stealing computers or printing off sheets of information. It doesn’t have to be a senior executive, a rogue employee could be someone in the IT department or in accounts with access to information.”
When customer data are stolen or go missing, this can be very expensive for the company or government department involved.
Mr Bantick says that writing to notify customers can cost $1-$2 per letter and often banks then feel it necessary to provide monitoring of affected customers’ credit files, which can cost up to $15 a month per file.
“That can start running into big numbers where there are millions of customers involved,” he says.
Beazley provides an insurance policy that allows companies who have been affected by data loss to make use of forensic experts who can assess how many customers may have been affected by a breach as well as providing legal advice on whether those customers should be contacted.
In addition the service can notify customers and offer them credit monitoring as well as setting up a helpline to deal with customers requesting information.
Mr Bantick says companies can insure themselves up to a maximum number of customers who might have been affected, rather than opting to “lay-off” or insure up to £10m of risk for example, which in the case of a large scale data breach could leave large sums uninsured.
“In certain cases we involve the police or FBI. If, for example, a company receives a letter or e-mail from a criminal gang saying they have hacked into their computer system, provide evidence of the data they have obtained and threaten to bring them down,” he says.
However, protecting customer data can often be low on the priority list for struggling banks that have survived the credit crunch.
In many cases, if banks are making changes to their IT systems, this will often be to reconfigure them for changing their business models.
“Often if it’s a choice between delivering capabilities to build a stronger capital base for the bank and fixing that slightly annoying data issue – it’s no surprise which executives will choose,” Mr Mee added.
Get alerts on Terrorism when a new story is published