I recently wrote that from a shareholder value perspective it makes very little sense for companies trading primarily in the UK to invest significantly in more effective data protection controls because of a lack of penalties for not doing so. While it seems the Information Commissioner has done some useful lobbying work in this space lately, he has just been made to look rather ineffectual by the Financial Services Authority.
The Nationwide Building Society was just fined 1 million pounds (including a rather nice 30% discount for prompt payment) for systematic failures of its data protection controls. Dennis has a good write up here. He quotes the FSA report thusly:
Nationwide failed adequately to assess the risks in relation to the security of its customer information.
Nationwide had procedures in relation to information security which failed adequately and effectively to manage the risks it faced.
Nationwide failed to implement adequate training and monitoring to ensure that its information security procedures were disseminated and understood bystaff.
Nationwide failed to implement adequate controls to mitigate information security risks, to ensure that employees adhered to its procedures and to ensure that it provided an appropriate level of information security.
Nationwide failed to have appropriate procedures in place to deal with an incident involving the loss of customer information and, as a result,
Nationwide did not respond appropriately and in a timely manner to establish the risks to Nationwide customers of financial crime arising from the theft of a Nationwide laptop computer.
The game just changed dramatically and fundamentally in UK financial services information governance. Lots of security specialists in The City will be feeling rather queasy this morning. For vendors its all gravy. But its no good blaming vendors for this breach. The Nationwide was evidently culpable and has been slapped accordingly. Picture courtesy of GriXx under creativecommons attribution no commercial use license.