The Nationwide building society was fined a hefty £980,000 by the Financial Services Authority (FSA) last month, in the first case of its type in the UK.
A member of staff took home a laptop containing details of nearly 11 million customers - essentially the entire customer database - and then had it stolen in a break-in. The employee then went on holiday, delaying the official investigation for three weeks. Although Nationwide claims that no account details were on the laptop, customer data such as address seems to have been present. It has written to every customer apologising, according to chief executive Philip Williamson.
The FSA said in a statement: "Nationwide did not take reasonable care to ensure that it had effective systems and controls to manage the risks relating to information security, specifically the risk that customer information might be lost or stolen." Ironically, the FSA set up a new financial crime and intelligence division in January, designed to deal with "low-tech breaches of security" such as this.
Industry observers will doubtless make comparisons with US disclosure laws and encryption regulations, and mull the introduction of similar laws in the UK, but the clearest message here for all is not to allow anyone to carry your entire customer database around on a laptop.
Beyond this basic security concept comes the well-travelled path of encrypting data at rest, managing access to confidential data, and controlling the use of laptops on the corporate LAN.
Interestingly, with new PCI standards set to come into force in June, any company that handles even just credit card payments, pulling a similar stunt to Nationwide will face fines and sanctions.
However, the society said it "would not be fair" if the directors paid the fine. This means that, because Nationwide is owned by its members, customers will have to pay up, which works out at around nine pence each.