The UK Financial Services Authority (FSA) has announced today fines for three HSBC entities totaling £3 million for failing to have adequate systems and controls in place to protect their customers’ confidential data. HSBC Life UK Limited (HSBC Life) was fined £1,610,000, HSBC Actuaries and Consultants Limited (HSBC Actuaries) was fined £875,000 and HSBC Insurance Brokers Limited (HSBC Insurance Brokers) was fined £700,000.

The failings included losing two unencrypted disks containing personal data in the mail, failing to store data securely and poor staff training on identifying and managing information security risks.

The fine is the highest to date in the UK and reflects a 30% discount for cooperating with the FSA.  The incident highlights the fact that despite the HMRC data breach in 2007 (when Her Majesty’s Revenue and Customs lost 25 million child benefit records on an unencrypted CD that was lost in the mail) many organizations still do not take data protection and information security issues seriously enough.

The incident will reignite debate as to whether the UK should have a mandatory data breach law.

It will also raise the question of when the UK data protection authority, the Information Commissioner’s Office (ICO), will be able to impose fines for security breaches. The UK Data Protection Act was amended in May 2008 to give the ICO the power to impose monetary penalties for serious breaches of the Data Protection Act, including the obligation to secure personal data. The statutory instrument, that would bring that power into effect, has not yet been passed.  Seemingly the Ministry of Justice and the ICO are still debating the level of fines and circumstances in which those fines would be imposed.

Meanwhile, UK banks and financial institutions face the anomaly of being subject to fines imposed by the FSA for security breaches, while businesses outside the FSA’s jurisdiction currently escape the prospect of financial penalties for security breaches.