UK stockbrokers fined £77,000 for lax security
The Financial Services Authority (FSA) has fined UK stockbrokers Merchant Securities Group Limited £77,000 for failures in security procedures, despite there being no evidence of actual data compromise.
The FSA Final Notice (PDF) details several procedural failings identified during a "Thematic Visit" in September 2007. Inadequate procedures for verifying the identity of customers over the phone, inclusion of customer account numbers in written correspondence, insecure management of backup tapes and poor control over staff use of instant messaging and web mail are cited as the prime causes of action. The FSA stated that each of these failings alone would have been "sufficient to place customer data at risk of loss, theft or alteration," and that the company should have been aware of this, particularly as the failings occurred while the FSA was actively publicising its action against firms in cases of actual data leaks. Law firm Pinsent Masons has pointed out that the FSA did not disapprove of instant messaging or web mail completely, but considered that Merchant Securities had not exercised sufficient control over their use to minimise the possibility data leakage.
Merchant Securities agreed to settle at an early stage, and has put its house in order to the satisfaction of the FSA. Had it not done so, the fine would have been £110,000.