For the first time, the United Kingdom financial regulators, the U.K. Financial Services Authority (FSA), gave a financial institution, the Nationwide Building Society, the U.K.’s largest “building society” (a member-owned mortgage lending and banking services institution) a penalty for poor data security, issuing a ¬£980,000 ($1.9 million) fine based on their response to the 2006 theft of a laptop computer containing sensitive customer data according to a February 14 notice from the FSA.
According to the notice, the laptop was stolen from the home of an employee and contained unspecified “confidential client information.”
The FSA regarded the data security failures as particularly serious, because as one of the largest financial institutions in the U.K., the building society holds confidential financial information of over 11 million customers.
The FSA said the fine was imposed because Nationwide breached the regulator’s “Principles for Business” by failing to take “reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems.”
The FSA indicated that although Nationwide’s practice is to ensure that sensitive information, such as account balances, personal identification numbers and account access passwords, are not stored along with personally identifiable information (PII), such as a customer name, address and account number, the bank “failed adequately to consider the wider risks to customer information from systems being compromised and, as a result, it failed to put in place appropriate controls and monitoring mechanisms to mitigate these risks.”
The FSA said Nationwide’s failure to manage or monitor downloads of very large amounts of electronic data onto portable storage devices meant they “had limited control over information held in this way or how it was used, increasing the risk that it could be used to further financial crime.”
The FSA indicated Nationwide failed to take reasonable care to ensure it had effective systems and controls to “manage the risks relating to information security, specifically the risk that customer information might be lost or stolen” and that the systems and controls used by Nationwide should have been “robust enough to anticipate equipment theft or loss.”
“Principle 3 Breach ‚Äì Systems and Controls”
“4.8. Nationwide breached Principle 3 by failing adequately to assess the risks relating to information security and take reasonable care to ensure that it had adequate procedures to manage those risks, including the risks that electronic equipment containing customer information might be lost or stolen. Further, it had inadequate controls in place to ensure that its procedures would be followed.
4.9. The FSA Information Security Report issued in November 2004 specifically highlighted the danger of reliance on an annual requirement on staff to sign acceptance of corporate policies whose size made their effectiveness questionable. The FSA Information Security Report recommended a range of measures to embed procedures such as training, updates, and testing similar to that used for money laundering training. The FSA Information Security Report also highlighted the risks of staff deviating from procedures. To address this risk, firms must have in place appropriate monitoring and controls to ensure that procedures are followed.
4.10. Nationwide’s information security procedures were contained in an unwieldy electronic format. The procedures were held on Nationwide’s internal website; they were not housed in a single document. The procedures covered a very broad range of information handling issues. The policy document was not structured in a way which would have enabled staff to identify easily which part or parts of the procedure might be applicable to their particular role. In addition, there was no search facility within the procedures to assist with this.
4.11. The policies contained inconsistencies and lacked any prioritisation; critical steps were given the same prominence as lesser issues. Within Nationwide’s procedures, no clear distinction was made between mandatory requirements and guidance on best practice.
4.12. Staff were required to self-certify that they had read and understood Nationwide’s procedures for information security. Staff received generic training on the
application of the information security procedures; but no job specific training was provided.
4.13. Having designed and implemented its procedures for information security, Nationwide failed to establish controls adequate to ensure that its procedures were understood, and that staff adhered to these procedures. Controls in this context can include a combination of measures such as: physical and electronic barriers to copying and transmitting information to portable storage devices, monitoring of compliance with procedures (including through management and supervision of staff), conducting random and targeted monitoring to ensure that only necessary data is stored on removable storage devices and that appropriate information security measures are in place and being used.
4.14. In 2004, Nationwide conducted an analysis of the FSA Information Security Report making a number of recommendations. During the relevant period Nationwide took a number of steps to enhance information security including enhancements to patch management, configuration and access management systems. However, it failed to give sufficient consideration to customer information security risks that could arise as a result of its own systems and controls.”
The above repeatedly highlights the importance not only of having procedures, but also of having procedures to support them, and then effective training and awareness about them.
“4.16. The FSA Information Security Report specifically highlighted the need for firms to have incident management procedures commensurate with the size of their operations. It also highlighted the need for firms to update their procedures in line with developments in technology and the increasing use of portable storage devices with the capacity to hold large amounts of data. Nationwide had inadequate incident management procedures to deal with the loss of IT equipment.
4.17. This failure to have in place a procedure to investigate the extent of the information contained on the laptop inhibited Nationwide’s ability to respond promptly and increased the opportunity for the information to be used to further financial crime.”
Another important point; procedures must exist for responding effectively to incidents.
So many important lessons here for organizations in all countries, and especially for U.S.-based organizations that do not understand their privacy commitments and expecations for their EU-based customers. So many effective information assurance components that, according to the report, were missing in the Nationwide program.
* Lack of an effective information security and risk management program.
* Lack of controls on mobile computing devices
* Lack of encryption for PII
* Lack of information security policies
* Lack of information security procedures
* Lack of information security training and awareness
* Lack of information incident response plans
* Lack of a PII inventory
* Lack of breach notification plan
What other lessons can be learned? Post and share your ideas!
Tags: awareness and training, government, identity theft, Information Security, IT compliance, laptop theft, policies and procedures, privacy, privacy breach, risk management