No amount of preparation can ever fully shield organisations against the menace of cyber crime, however making sure that the necessary action is taken to identify and control the information security risks will assist, should regulators investigate, argues Withers, the law firm.

In March this year, a data security scandal rattled HSBC Private Bank in Switzerland after it emerged that former IT staff had stolen account details of around 15,000 clients. Although it does not appear that any data was sold on the black market, it did eventually find its way into the hands of French tax authorities and HSBC was forced to publicy apologise for the incident.

The reputational fall-out that data breach incidents like this can trigger, particularly in the financial sector, is obvious to see. However, security lapses can also have serious legal and regulatory consequences. 

Private bankers, wealth managers and financial advisors, often operating on an international basis, have to deal with a patchwork of regulations covering client data collection, retention and security. Duties of confidentiality and contractual responsibilities to clients are clearly a primary concern but advances in technology have also added new layers of risk to consider and with it, further regulation.

The European Union’s Data Protection Directive, regulates the processing of any client’s personal data. In short, organisations should only collect and process such personal information fairly, lawfully and observe certain legal obligations including maintaining appropriate security measures to protect such data against unauthorised disclosure, access or loss.

The Directive is enacted through national legislation in each member state. This means enforcement can vary significantly from territory to territory with some data protection regulators perceived as taking a more intrusive line than others. Until recently, the UK was seen as providing firms with a reasonably benign compliance regime. However the signs are that this stance is changing.

In April, the UK introduced financial penalties of up to £500,000 (around $796,980) for the most serious data protection breaches. What’s more, the European Commission is now threatening to take action against the UK unless it further toughens its data protection enforcement regime. This includes giving regulators the right to conduct spot-checks on firms’ data processing with power to impose penalties for non-compliance. The EU (and UK) data protection rules are also due to be reconsidered next year with tougher regulation being a likely long term outcome.

Financial regulators have also been actively scrutinising firms’ internal data security under financial services regulation. For example, the UK Financial Services Authority (FSA), the UK regulator, has ratcheted up the penalties on organisations that fail to take appropriate steps to protect client data. This culminated in three HSBC group companies being fined £3.2 million by the FSA last year for having inadequate systems and controls in place to protect customers against fraud and identity theft.

What’s clear is that the information security issue is not going away. Although no organisation can ever guarantee that its data will be free from attack, failure to take preventative steps to tackle the risk and manage any subsequent fall-out is likely to land a firm in hot water. 

And while visceral threats such as hacking and organised crime often capture the news headlines, the immediate threat is more likely to come from the employee, director or contractor sitting next to you. There have been occasional examples, like HSBC Private Bank, where a determined employee has acted clandestinely; however many of the reported cases involve well-intentioned employees who are simply travelling or taking work home. Whether it’s a case of confidential client documents being taken from a car, a laptop being stolen from a hotel room or a memory stick being lost in the back of a taxi, in regulatory terms responsibility will usually remain with the organisation concerned and specifically its senior management. 

So what should you do? The legal picture can be reasonably complex; however, the following high-level five point plan may help:

1.              Have a Clear Overview: Know exactly what client data you maintain in the first place; what it is being used for, where it is held and under what conditions. Knowing the answers to these will help determine the scope and extent of your regulatory responsibilities;

2.              Manage Access: Implement proper internal and external controls on access to data. Appropriate firewalls and IT security can obviously guard against external threats but adequate organisational measures to ensure that data is only available to those who need should also be strictly applied.  Regulate the mass copying of client data on to mobile and portable memory devices;

3.              Raise Staff Awareness: It’s clear that directors, staff and contractors who have exposure to client data need to be appropriately trained in relation to handling of confidential client records. This needs to be tailored to job requirements and simply imposing a blanket data security policy for annual sign-off is unlikely to be regarded as sufficient to fully discharge regulatory obligations. 

4.              Control Data Transfers: Client data (particularly where financially sensitive) should be protected though encryption when being transmitted. Appropriate technical and legal controls should be in place to protect data where processing functions are outsourced to third parties. Another upshot of data protection regulation is that personal data being stored should not be routinely transferred across-borders or outside Europe without the security and legal implications being reviewed; and

5.              Set-up Incident management: Procedures need to be put in place, with a clear chain of responsibility so that any reported breach is acted on promptly. Failing to have the means to investigate or properly act on a breach is viewed as seriously as failing to secure client data in the first place. Also, while there is no general legal duty to notify regulators or affected individuals of a data breach yet in the UK, in serious cases there may be compelling practical reasons to do so, such as to prevent any further financial loss.

No amount of preparation can ever fully shield organisations against the menace of cyber crime, however making sure that the necessary action is taken to identify and control the information security risks will assist, should the regulators come knocking on your door.