Data security

Customer data protection is a serious issue. You are responsible for securing your customer data and protecting it from fraudsters.

Customer data is any identifiable personal information held in any format, for example National Insurance records, addresses, dates of birth, family circumstances, bank details and medical records. This information must be kept securely to comply with your obligations under the Data Protection Act 1998, but also because criminals can use it to commit offences such as identity theft. 

Data security is not purely an IT problem, nor is it just a problem for large firms. Firms of all sizes should think carefully about how they secure their data. Having good data security policies and appropriate systems and controls in place will go a long way to ensuring customer data is kept safe. However, you need to make sure your employees understand the policies and procedures and your firm keeps up-to-date when people move on.

IT security measures

You should consider risk-based, proactive monitoring of staff to make sure they are accessing or changing data for genuine business reasons, and that they all use good password standards and do not share or write down their usernames and passwords.  

If you have employees who work from home or use laptops and portable devices such as USB sticks and CDs to store customer data, you should be vigilant about the risks of loss or theft. Unencrypted customer data should never be stored on these devices.

Unsecure backup and storage of customer data leave you at risk. We expect you to review your data backup procedures regularly and consider threats from all angles, including the transit or upload process and ultimate place of storage. If your data is held off-site by a third party, you should encrypt it and make sure you carry out regular due diligence. 

Broader security measures

Customer data can be compromised in various ways and you should also:

  • look at the physical safety of your business premises
  • have a sign-in book for visitors, with onsite supervision
  • conduct enhanced recruitment checks
  • conduct credit and criminal record checks on people with access to data

Outsourcing to a third party does not mean you have outsourced your obligations to look after customer data. Therefore, you should carry out due diligence on third-party suppliers before hiring them, try to establish what their vetting procedures are, and ensure that they respect your firm’s security arrangements.

For further detail and examples of good and poor practice in data security, see Chapter 5 in Part 1 and Chapters 6 and 10 in Part 2 of our Financial Crime: A Guide for Firms.