Nationwide Building Society, a U.K. financial services provider, has been fined $1.9 million after a laptop containing sensitive customer data was stolen from an employee.
The Financial Services Authority (FSA) hit Nationwide with the fine on Wednesday, following an investigation into the theft, which occurred in November 2006 at the employee's house.
According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks. The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.
"Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up to date to prevent lapses in security," said Margaret Cole, director of enforcement at the FSA.
"The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security," Cole added.
Nationwide has apologized for the incident and said it has tightened its security procedures in an attempt to avoid a repeat of the incident.
"We have extensive security procedures in place, but in this isolated incident our systems of control were found wanting," Nationwide's chief executive, Philip Williamson, said in a statement. "We have made changes to fill the gap and improve our procedures further."
It's still unclear exactly what customer data was held on the laptop. Nationwide insists that the information couldn't have been used to commit identity theft and says that no customers have lost money as a result.
Nationwide acknowledged that the employee in question had not been following its existing procedures at the time of the theft. Although it's unclear exactly how procedures weren't followed, it seems likely that the laptop should not have left the company's offices or that the data shouldn't have been stored there at all.
"We can't comment on any action that may have been taken against the employee," a Nationwide representative told ZDNet UK.
Now if only we would start doing the same thing to negligent companies here in the United States...
Let's face it, the only thing companies really understand is making money and losing money. They want to make as much of it as they can, and they don't want to lose any of it. Let's make the punishment for not treating sensitive information the way they should fit the crime.
My initial reaction on reading that the suing party was the FSA was to think, whoah, is this appropriate? Seeing the government stepping into private sector business like this was alarming. Then I considered our history of events like this in the US and I agreed entirely with your comment.
It *is* appropriate for the government to step in when companies abuse their clients whether that be intentional (Spitzer and the insurance broking scandal, for example) or sloppiness. One thing that I then, cynically,, realized was that at least in the US it would take a *lot* of instances of companies getting huge penalties before anyone bothered to take genuine steps to change matters for the better: consider the ongoing corruption we have seen since Enron and how time and time again well-to-do individuals are caught breaking the law with stock transactions.
Irregardless, slapping a big fine on US companies who do not take keeping private client data secure is the only way anything will change here.
about freaking time. I honestly can't understand how there's a "crap, we lost our clients data on some computer hardware" storey weekly. Maybe fines will make it more financialy justifiable to put some budget into security.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Let's face it, the only thing companies really understand is making money and losing money. They want to make as much of it as they can, and they don't want to lose any of it. Let's make the punishment for not treating sensitive information the way they should fit the crime.
It *is* appropriate for the government to step in when companies abuse their clients whether that be intentional (Spitzer and the insurance broking scandal, for example) or sloppiness. One thing that I then, cynically,, realized was that at least in the US it would take a *lot* of instances of companies getting huge penalties before anyone bothered to take genuine steps to change matters for the better: consider the ongoing corruption we have seen since Enron and how time and time again well-to-do individuals are caught breaking the law with stock transactions.
Irregardless, slapping a big fine on US companies who do not take keeping private client data secure is the only way anything will change here.
We need more instances of this...
It's the only way to reduce future chances of this happening again.
Unless irresponsible companies are held responsible for their irresponsibility... this will only continue to happen.
Walt