Banks and insurance companies aren't doing enough to ensure customers' personal data is protected from identity thieves, according to the UK's financial regulator.
Firms that fail to encrypt data on laptop computers may force enforcement action, the Financial Services Authority (FSA) warned in a report published Thursday.
While large and medium-sized firms tend to transfer data to and from third parties using secure internet links, there are still occasions where unencrypted customer data is transferred on CDs or mainframe cartridges, sometimes by unregistered post. This is one of the findings of a review of systems and controls at banks, building societies, insurance companies and financial advisers, conducted by the regulator.
The City watchdog said it supports the Information Commissioner’s position that "it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted".
Yet senior management at firms still fail to recognise the value of customer data to fraudsters, said the FSA.
The FSA has been cracking down on data security breaches. In December, it fined Norwich Union Life £1.26 million for incompetent customer data protection from identity theft.
FSA said it investigated 56 cases of data loss by financial services firms in 2007. This accounted for just under a third of all financial crime cases dealt with by the team.
"In fact, data security was the most common type of financial crime incident dealt with during the year," the report said. "[It is] highly likely that many data loss incidents go unreported,".
FSA said these cases have revealed some serious weaknesses in firms’ data security.
While large firms invest into data security, most place too much emphasis on IT controls and not enough on staff awareness and training, or regular risk assessments. Nearly half of those surveyed offered no security training for staff.
In the case of significant data loss, firms seem more concerned about adverse media coverage than on being open and transparent with customers.
The FSA reviewed 39 financial-services companies, including banks, building societies, insurance companies and financial advisers, to compile the report. About 50% of the sample was composed of small firms, the report said. The FSA said medium-sized and small firms were the worst offenders for data security. The FSA did not look at sophisticated data theft through computer hacking.
Recently the Information Commissioner Richard Thomas revealed there had been 94 data breaches – both in public and private sector - reported to the office in the past six months. The financial sector was responsible for 14 of these lapses, and was the worst culprit in the private sector.