UK financial services businesses should be examining their information security procedures carefully following Nationwide Building Society being slapped with a hefty fine for inadequate data security.
The Financial Services Authority (FSA) imposed a penalty of just under £1m on Nationwide last month for failure to take "reasonable care" to organise its systems to effectively manage information security.
The decision related to the theft of a laptop from a Nationwide employee's home. The computer contained details of about 11 million account holders, and although Pin codes and passwords were not included, the FSA ruled that customers were still exposed to an unacceptable risk.
Assess the dangers
Nationwide had adopted a number of precautions, but according to the regulator it had failed to take sufficient care to assess the dangers or implement effective risk management processes.
In particular, the FSA criticised security procedures for staff in an "unwieldy" format over a corporate intranet which failed to prioritise critical issues generic staff sign-off and training that was not job specific and failure to ensure staff followed procedures.
In addition, a three-week delay by Nationwide in following up the theft to see what data had been taken and inadequate incident management procedures were ruled to have increased the risk of financial crime.
The Nationwide scenario illustrates how a seemingly commonplace incident can develop into a time consuming legal headache.
The reasons why staff are allowed to take confidential information out of the office are varied, although the intentions are rarely clandestine - usually it is simply to enable them to work from home or when travelling.
Mobile storage risks
The FSA has noted advances in data storage and low-cost portable technology that have given staff and contractors the technical means to download vast amounts of sensitive information with relative ease. Although mobile devices have brought undoubted benefits, businesses also need to be mindful of the consequences of devices being on walkabout from the office.
Sometimes there is little control or awareness of what is being accessed, and data may lack even the most basic password protection. The convenience of portability is also usually coupled with vulnerability to petty theft or a gadget simply being left in the pub or train.
The FSA says that it wants to send a "clear, strong message to all firms about the importance of information security". It is clear that even the best-intentioned organisation dealing with sensitive customer data cannot get away with simply drafting an information security policy, unless it also fully considers its effective and practical application going forward.
To do anything else is a hazardous and now, it would seem, potentially costly strategy.
Kenneth Mullen is a partner specialising in media and technology at law firm Shepherd and Wedderburn
Do you agree with Kenneth Mullen? If you have an opinion about this or any article in Computer Weekly, e-mail [email protected]
David Lacey’s security blog