UK building society Nationwide has been fined almost £1m after a laptop containing sensitive customer data was stolen from an employee.
The Financial Services Authority (FSA) hit Nationwide with the £980,000 fine on Wednesday, following an investigation into the theft, which occurred in November 2006 at the employee's house.
According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks. The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.
"Firms' internal controls are fundamental in ensuring customers' details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security," said Margaret Cole, director of enforcement at the FSA.
"The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security," Cole added.
Nationwide has apologised for the incident, and claims to have tightened up its security procedures in an attempt to avoid a repeat of the incident.
The FSA took swift enforcement action in this case to send a clear, strong message to all firms about the importance of information security
Margaret Cole, FSA
"We have extensive security procedures in place, but in this isolated incident our systems of control were found wanting," said Nationwide's chief executive, Philip Williamson, in a statement. "We have made changes to fill the gap and improve our procedures further."
It's still unclear exactly what customer data was held on the laptop. Nationwide insists that the information couldn't have been used to commit identity theft, and says that no customers have lost money as a result.
Nationwide admitted that the employee in question had not been following its existing procedures at the time of the theft. Although it's unclear exactly how procedures weren't followed, it seems likely that the laptop should not have left the company's offices or that the data shouldn't have been stored there at all.
"We can't comment on any action that may have been taken against the employee," a Nationwide spokesperson told ZDNet UK.
Laptop thefts are a growing security problem. Earlier this week, it was revealed that America's FBI loses three or four laptops each month. In many cases, the FBI hasn't known what sensitive data might have been contained on the missing devices.
Talkback
Fining Nationwide for losing a laptop containing customer details highlights an ongoing security problem faced by organisations today, particularly as the trend in mobile and remote working increases. Our own survey of 1,200 IT managers and security professionals last year shows that only 44 per cent of the data on laptops is encrypted. The research also showed that only 12 per cent of the data on handheld devices, such as BlackBerries is encrypted.
Organisations must take steps to protect the growing amount of sensitive data, which is floating around outside the corporate network in executives' pockets and bags. Encrypting the data and using a smart card or a USB token to 'unlock' the laptop and subsequent information, which can be held separately from the machine, will reduce the risk of data falling into the wrong hands. Random thefts and losses of laptops and other physical assets inevitably occur, however, if unauthorised access to the data on these items is prevented via the use of encryption, organisations and their customers can rest easy.
Fiona, I have to agree with you over the importance of encrypting data on devices, but it's not everything. Encryption's not practical for all scenarios, and quite honestly a lot of sensitive corporate data shouldn't be transferred to a laptop anyway. Encryption is one sensible precaution. Strong IT and HR policies are equally as important.