Minimum Security Standards Are Mandatory for Safeguarding Customer Data

This week’s press reported yet another loss of customer data by a leading UK Bank. This time it was HBOS coming clean about a loss of a disk containing information about more than 60,000 mortgage customers.

This type of incident is not new. People regularly make mistakes in today’s fast-moving, cost-cutting business environment. All organisations have scores of insecure practices. In the safety field it’s well understood that, on average, behind every major incident there are likely to be around 30 minor incidents, several hundred near-misses and thousands of bad practices. But you can also be unlucky. Anyone that’s studied Statistics will appreciate that an average solution is not generally the most probable outcome.

But what I caught my eye about this incident was that the Bank admitted that the data should have been encrypted and sent by a secure courier. Now that’s a step in the right direction. It shows that Management appreciates the need for defence-in-depth security standards. Perhaps the message is finally getting through, i.e. that there minimum standards for protection of customer data – you don’t leave it to the discretion of the business.