Financial Institutions Under Scrutiny For E.U. Data Security Breaches: Lessons To Be Learned

The European data protection authorities have been cracking down on data security breaches and the UK has recently focused its attention on financial institutions who have violated the Data Protection Act 1998 (DPA). Organizations that fail to process personal information in line with the principles of the DPA not only risk enforcement action, prosecution and fines by the regulators, but also losing the trust of their customers. Earlier this year, the UK data protection regulator, the Information Commissioner's Office (ICO), published a list of eleven financial institutions who breached the DPA by their improper disposal of customer information. Among the institutions publicly named were Barclays Bank, Royal Bank of Scotland, and NatWest.

The ICO's action was on the heels of an investigation by the Financial Services Authority (FSA), which regulates the financial services industry in the UK. Following the theft of a laptop computer containing sensitive data from an employee's home, the FSA fined Nationwide Building Society almost $2 million for failing to ensure it had effective systems in place to manage the risks associated with their information security.

The institutions that were singled out by both the ICO and FSA experienced a significant blow to their reputation which affected the confidence of clients and investors. Financial institutions should take heed and implement the necessary steps to ensure that they operate in compliance with the applicable data security regulations.

This Article briefly examines four key points:

The recent breaches of the Data Protection Act

The implications of the Data Protection Act for financial institutions

Lessons to be learned

Steps financial institutions can take to achieve compliance

Recent Breaches Of The Data Protection Act

The ICO and FSA have both been accused of lacking teeth and being lenient regulators, yet both have recently cited institutions for data security violations. Generally speaking, every institution that holds personal data concerning living individuals must comply with the DPA and its Eight Principles. The Seventh Principle requires that, "appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." Additionally, the majority of financial institutions in the UK are regulated by the FSA, and breach of the DPA can also infringe the FSA Principles for Businesses. In particular, Principle Three requires companies...