Wednesday 22 July 2009

The cost of losing customer data: (only) £3 million for HSBC

Today, three units of HSBC were fined £3 million for losing customer data. Two of the breaches affected more than 180,000 people, and, although no customer has reported any loss from these incidents, the Financial Services Authority is sending a strong message to all UK financial services firms. At issue is how careful HSBC was with the customer data, rather than the outcome relating to these breaches. This last point should be resonating with all financial services firms, as well as those that handle customer data. No HSBC customer experienced a loss from these breaches, but the Financial Services Authority has still called the company to task for being careless and for failing their customers.

For all financial services firms, especially, this ruling should be given strong consideration. If these types of breaches can occur at the world’s largest bank and the Forbes’ ranked sixth largest business in the world, then they can happen anywhere. Details from the breaches show an alleged environment in which poor employee training in preventing and dealing with identity theft as well as lax encryption standards prevailed. These factors are part of “Identity Theft 101,” meaning that even the smallest, most regional bank, mortgage company, or insurance firm would make sure these controls are in place. There is some good news for HSBC in this. By cooperating, they have seen their fine reduced from a potential £4.5 million, savings that can be used for better protection.

The bad news for all of us is that the fine was really insignificant in the grand scheme of things. A few million pounds is still only loose change for these organizations, even in these times.