The Financial Services Authority (FSA) has fined the Nationwide Building Society nearly one million pounds for losing a laptop that contained customer data.
The FSA held that the building society’s information security procedures and controls breached the FSA’s Principles of Business. FSA regulated bodies should be taking urgent steps to review their approach to information security – including upgrading policies and procedures, more thorough employee training and drafting incident management plans.
In August 2006 a Nationwide laptop was stolen from the home of a Nationwide employee. The employee promptly reported the laptop’s theft to Nationwide but did not inform Nationwide of what was on the laptop. An internal investigation into this was launched three weeks later. Nationwide subsequently wrote to customers to apologise for the lapse.
The FSA found that Nationwide breached Principle 3 of the FSA’s Principles for Business, which states that “a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” In particular the FSA concluded that Nationwide should have had better systems and controls to manage the risks relating to information security, specifically the loss of customer information. Nationwide agreed to co-operate at an early stage of the FSA’s investigation, which reduced the fine from £1.4 million.
The FSA’s response and reasoning
The authority of the FSA to issue a fine arises under the Financial Services and Markets Act 2000 (FSMA). Section 206(1) states that if the FSA considers that a person authorised under FSMA has contravened a FSMA requirement (such as the FSA’s Principles for Business), it may impose a penalty of such amount it considers appropriate.
The FSA concluded that Nationwide had failed to:
- assess adequately the risks to security of customer information;
- put in place adequate information security procedures;
- implement adequate training and monitoring for staff to ensure they actually understood and followed procedures; and
- put in place appropriate procedures to enable it to react promptly and effectively to an incident involving loss of customer information.
Future impact on businesses; recommended actions
This should not be regarded as a one-off fine for a stolen laptop: regulated businesses should take note that the FSA is cracking down on information security.
In November 2004, the FSA issued an Information Security Report (click here to view). To minimise the risk of incurring a fine, regulated businesses should study the recommendations in the report. In particular:
Information security framework
An information security framework is critical for a comprehensive, robust information security function and forms the basis for effective management of information security risks. Whilst being appropriate to the scale, nature and complexity of the firm, the framework should include:
- information security governance mechanisms, for example defined roles and responsibilities for both business and IT in terms of committees, steering groups and management;
- high-level information security strategies and policies, as well as detailed underlying procedures, standards and guidelines covering, for example, networks, operating systems, databases etc;
- deploying policies and procedures into actions/controls, including user administration, network and operating system management and education. (For example, even though it had designed and implemented information security procedures, Nationwide failed to adopt adequate physical and electronic barriers to copying and transmitting information to portable storage devices so that these only stored necessary data);
- managing information or the monitoring of events through methods, such as audit reports, to determine how well information security policies are implemented and procedures followed; and
- effective risk management practices, including risk identification, assessment, mitigation and monitoring.
Employees should be trained in the firm’s information security policies and procedures on joining. This should go beyond simply giving handbooks and requiring employees to sign corporate policies and acceptable usage conditions. Effective user education may include:
- compulsory, job specific information security training for new staff using mixed media;
- security awareness programmes to get staff to understand the importance of information security and their individual responsibilities;
- supplying staff with security awareness materials such as intranet pages, mouse mats, brochures, posters and identity badge clips with security messages etc;
- annual mandatory testing of information security awareness along the lines of training given on anti-money laundering; and
- giving news updates to staff about emerging threats and the importance of information security
Effective incident management and its escalation to senior management have become increasingly important with firms’ relying on technology to be available around the clock. Firms need to have incident management procedures that define the roles and responsibilities for the staff involved and provide an escalation route to senior management. While these procedures will reflect the size and nature of the organisation, common practices may include:
- a documented incident response process that covers reporting, recording, categorisation, investigation and resolution of all incidents with guidance on how incidents should be escalated; and
- an incident response plan describing the roles and responsibilities of the participants and involving representatives, where appropriate, from: IT, fraud, communications, customer liaison, call centre, marketing and legal and providing out of hours contact numbers and nominated deputies.