Failure to abide by the FCA’s rules on data protection opens up the possibility of being subject to the full range of the Authority’s enforcement powers - the latest details of which can be found here.But staying on the right side of the rules is important for reasons that go far beyond avoiding a fine. As well as regulatory costs, firms should think carefully about the wider commercial, legal and reputational consequences of a breach of the rules. Through putting these issues in focus, it soon becomes clear why merely paying lip service to compliance is a very risky way to operate.
A reasonable data risk assessment process involves not just identifying risk areas, but also realising how your business might suffer if the risk arises. Here, we’ll highlight the various ways in which getting on the wrong side of the FCA for a data handling-related issue can cost your firm dearly…
The FCA’s approach: ignorance is no defence
No regulated firm could have failed to notice the FCA’s continued efforts to highlight the importance of safe data handling and data security. One of the most recent publications in which this issue was given high profile treatment was the FCA 2016/17 Risk Outlook, while specific factsheets on data security continue to hammer home the importance of diligence and good housekeeping.
The FCA has made it loud and clear that it considers its supervising remit to include the systems and controls in place within regulated firms. This includes IT vulnerabilities that could bring about data breaches.
Am I facing a fine?
All examples of FCA fines levied solely for data security-related issues pre-date 2010. That date is significant as it corresponds with the ICO being given new powers to issue financial penalties in relation to significant breaches. These earlier instances include a fine for almost £1 million in respect of an unprotected laptop stolen from an employee’s home and a £2.3 million fine for the loss of unencrypted data in an outsourced scenario.
So currently, where an FCA breach also contravenes the Data Protection Act, the prosecuting authority is almost always the ICO. Take for instance, the ICO fine levied against The Money Shop, Lurgan last year. From an FCA point of view, the breach, concerning failure to encrypt data prior to physical transportation of a server, would almost certainly constitute a breach of Principle 3 (reasonable care to organise and control its affairs responsibly and effectively).
So even if the FCA declines to act against you for wrongdoing, the ICO in all likelihood will take an interest. The maximum financial penalty the ICO can issue at present is £500,000. In the case of The Money Shop, the fine was £180,000.
Beyond the fine: calculating the likely repercussions
A financial penalty or enforcement notice issued by either the FCA or ICO may be only the tip of the iceberg in terms of costs. Other areas of loss can include the following:
- Loss of contract revenue from customers affected by the breach. Those customers directly affected by the breach are likely to be the first to jump ship.
- Reputational loss. Remember that ICO and FCA decisions are in the public domain. A black mark against you is one of the easiest ways to lose your reputation as a safe pair of hands.
- Indemnity insurance premium increases. A data breach coupled with regulatory action is likely to result in a hike when it comes to policy renewal.
Don’t assume that a breach will mean paying a fine and getting on with business as usual. Remember that the fallout of regulatory intervention.
For more information on IT support and services for regulated businesses, click below...