Story tools

Print this article

Email to a friend

Your feedback

The Financial Services Authority (FSA) has published today its report on Data Security in Financial Services. Whilst it might make for uncomfortable reading, this is a timely report from the FSA, and its relevance extends beyond the firms that the FSA directly regulates. The omissions the FSA identifies and standards it expects are not peculiar to the financial services industry.

The underlying message from the Information Commissioner's Office (ICO) and the FSA is clear in the report: they are going to get tough on firms that are not taking security breaches seriously enough, and firms ignore the guidance in this report at their peril.

There will undoubtedly be some debate about the viability of some of this report's recommendations. However, the report is to be welcomed in that it at least provides some insight into the standards that the regulators expect. To date, one of the problems has been the vagueness of the rules, and it is only when firms have been reprimanded that some indications of expectations have been obtained.

Some of the problems identified in this 100-page report include:

-  unclear policies that are not enforced
-  poor communications and lack of accountability within the management structure
-  poor risk assessment
-  lack of communication with affected consumers about the wider risks of identity fraud
-  poor vetting of staff and service providers
-  wide access to personal data and availability of the means to misuse it, eg USB ports, internet access and so on
-  failure to monitor third-party suppliers' compliance with their contractual obligations.

The focus on operational security measures in the report, not simply technical ones such as encryption of laptops, is important. From a data protection compliance perspective, it should be remembered that the security obligations in the Data Protection Act 1998 (DPA) specifically refer to technical and operational measures being taken.

What is interesting is that much of the commentary has at its heart basic internal communication problems, both internally across departments or intra-group and externally with customers and third-party vendors.

Some of the examples of good practice cited include:

-  a senior manager with overall responsibility for data security mandated to manage security risks and communicate with key stakeholders within the firm
-  written data security policies and procedures that are proportionate, accurate and relevant to staff's day-to-day work
-  an open and honest culture of communication making it easy for data security concerns to be reported without fear of blame
-  detailed plans for reacting to data loss, including how to communicate with affected customers
-  writing to customers promptly after a loss and telling them what has been lost and how, as well as advising on protective measures against identity fraud
-  training and awareness campaigns for staff so they recognise the importance of, and what they have to do to comply with, policies
-  vetting staff and service providers on a risk-based approach
-  specific IT access controls and profiles for each role in the firm, which set out exactly what level of access is required for that job
-  regular reconciliation of HR and IT user records to act as a failsafe if the firm's leaver processes fail
-  'least privilege' access to call recordings and copies of scanned documents that have been obtained for 'know your customer' purposes
-  authentication of customer ID, for example using touch-tone telephones, before a conversation with a call centre adviser takes place (which limits the amount of personal data in call recordings)
-  masking account details and other sensitive data where this would not affect the employee's ability to do his or her job
-  password standards at least equivalent to those recommended by Get Safe Online (a government-backed campaign)
-  using a third-party supplier, preferably accredited by the British Security Industry Association, to shred or incinerate paper-based customer data
-  strict controls on portable devices and disabling of USB ports
-  giving staff internet and email access only where there is a genuine business need
-  regular reviews of third-party suppliers' data security standards and their compliance with them.

That the FSA is taking an active interest is also important from an enforcement perspective. The FSA has stronger enforcement powers against the firms it regulates. Some examples of these are cited in the report.

By contrast, one of the complaints from the ICO is that it doesn't have sufficient powers under the DPA to make businesses pay attention to their security obligations – hence the current lobbying to get a change in the law to create a criminal offence.

The suggestion is that this would apply if a data controller knowingly or recklessly fails to discharge the duty under Section 4 of the DPA, which results in a substantial risk that persons would suffer damage or distress. It would be a defence to show that you had exercised all due diligence. This guidance from the FSA is exactly the sort of reference point that would be considered in assessing whether there had been all due diligence.
 
Visit here for further information and a copy of the report