UK financial services businesses should be examining
their information security procedures carefully following
Nationwide Building Society being slapped with a hefty fine for
inadequate data security.
The Financial Services Authority (FSA) imposed a penalty of just
under £1m on Nationwide last month for failure to take "reasonable
care" to organise its systems to effectively manage information
security.
The decision related to the theft of a laptop from a Nationwide
employee's home. The computer contained details of about 11 million
account holders, and although Pin codes and passwords were not
included, the FSA ruled that customers were still exposed to an
unacceptable risk.
Assess the dangers
Nationwide had adopted a number of precautions, but according to
the regulator it had failed to take sufficient care to assess the
dangers or implement effective risk management processes.
In particular, the FSA criticised security procedures for staff
in an "unwieldy" format over a corporate intranet which failed to
prioritise critical issues generic staff sign-off and training that
was not job specific and failure to ensure staff followed
procedures.
In addition, a three-week delay by Nationwide in following up
the theft to see what data had been taken and inadequate incident
management procedures were ruled to have increased the risk of
financial crime.
The Nationwide scenario illustrates how a seemingly commonplace
incident can develop into a time consuming legal headache.
The reasons why staff are allowed to take confidential
information out of the office are varied, although the intentions
are rarely clandestine - usually it is simply to enable them to
work from home or when travelling.
Mobile storage risks
The FSA has noted advances in data storage and low-cost portable
technology that have given staff and contractors the technical
means to download vast amounts of sensitive information with
relative ease. Although mobile devices have brought undoubted
benefits, businesses also need to be mindful of the consequences of
devices being on walkabout from the office.
Sometimes there is little control or awareness of what is being
accessed, and data may lack even the most basic password
protection. The convenience of portability is also usually coupled
with vulnerability to petty theft or a gadget simply being left in
the pub or train.
The FSA says that it wants to send a "clear, strong message to
all firms about the importance of information security". It is
clear that even the best-intentioned organisation dealing with
sensitive customer data cannot get away with simply drafting an
information security policy, unless it also fully considers its
effective and practical application going forward.
To do anything else is a hazardous and now, it would seem,
potentially costly strategy.
Kenneth Mullen is a partner specialising in media and
technology at law firm Shepherd and Wedderburn
Do you agree with Kenneth Mullen? If you have an opinion about
this or any article in Computer Weekly, e-mail
computer.weekly@rbi.c.uk
Related articles:
FSA fines Nationwide
Tackling the data security
challenge
David Lacey’s security blog