No damage done, so who pays in the long run?

Jeremy Phillips

Business Week reports that three companies within the HSCB banking group have between them been fined over £3 million by the Financial Services Authority (UK) for customer data protection lapses. HSBC Life were ordered to pay £1,610,000, HSBC Actuaries £875,000 and HSBC Insurance Brokers £700,000. The fines followed an investigation by the FSA which revealed that customer data was sent without encryption to third parties and via couriers, and left in unlocked cabinets and on open shelves. A spokesman for HSBC Insurance is quoted as saying:

“While this is a serious matter, no customer reported any loss from these failures and we are doing everything possible to prevent a recurrence. We have implemented even more rigorous systems [this suggests that the previous systems were “rigorous”], better checks and more training for our people. We believe our customers can have confidence that we are doing everything we can to protect their privacy [that’s the point: the customers not only can but do have confidence, because they generally don’t know what’s happening to their data, whether it’s adequately protected or not]“.

The three companies have now improved staff training and use encryption when data is being moved. By cooperating with the FSA they also earned a 30% reduction on the fine, which would otherwise have stood at £4.55 million.

So, it appears that no harm is done. No customer has reported any loss and the HSBC companies have not identified any. The companies have parted with over £3 million, which is not a vast sum to them, and the loss really lies with the shareholders: pension funds and other institutions who have, like HSBC’s customers but unlike the company’s employees and office-holders, done nothing wrong. This raises the question: is there a better way to achieve the desired ends?

Leave a Reply

Your email address will not be published. Required fields are marked *