Come clean and admit you got it wrong and you get hammered. This is the lesson the Nationwide Building Society will be digesting after last week’s shock £1 million ($1.8 million) fine by the Financial Services Authority (FSA), for being careless with a laptop full of customer data.
The whole case has been odd from the start. The Nationwide reported the theft of the laptop from an employee’s home to the police last August, though only made it public knowledge in November. Both actions implied that the data on the laptop was significant, though the institution has always denied that customers were at risk.
So why report it at all? There is no requirement under any UK regulation to do so. Everyone suspects that banks lose data such as this on a regular basis, and yet the number of cases that come to light in the UK is minuscule. Meanwhile, in a number of US states, there is a legal requirement to report the loss of data which has resulted in a steady stream of embarrassing cases making headlines.
And if the incident was as minor as the Society has claimed, why did the FSA dish out such an unprecedented fine. You have to do something pretty bad to get the UK regulators to shuffle their papers and rattle the filing cabinets, never mind doing so with such speed and severity.
The fine sends a perverse message. The Nationwide was held to account for failing to tell the FSA for several weeks of the nature of the theft despite the fact that there is no clear compulsion for them to do so, even if data protection has been compromised. They were also punished for wider unspecified security failings.
But if you humiliate the one company honest enough to report a problem, what about all the others we suspect of saying nothing and covering up their breaches of data confidentiality? The case for the cover up looks compelling when you see a rival being thrown to beasts. But a warning has been served, however incompetently and counter-productively.