Blog article
See all stories ยป

HSBC Australia shoots the messenger

Banks and their customers have very different ideas about what constitutes "sensitive data", and what communication should take place if data security is compromised. And one bank in particular has an interesting approach to managing the media fall-out when such a lapse occurs.  

Over the past 6 weeks, a journalist at Computerworld Australia has written several stories covering a breach of security policy by an employee of HSBC Australia who left a file containing customer information on a train. Now she says she has recieved letters threatening legal action from the bank.

The journalist had contacted several of the customers whose data (including account details, property information, mortgage documents and photocopies of deposit cheques) was exposed. In her second story about the affair she reported the customers' outrage that their bank didn't think it necessary to let them know their data was involved in the incident.

Australia, unlike some other places (notably California), doesn't have any legislation that requires banks to notify customers if their data is exposed. But customers apparently expect this as a matter of courtesy.

In its letters to the journalist, HSBC claimed that she had breached the Privacy Act by sighting the missing documents first hand. It also threatened to "seek damages" if she contacted any of their customers, especially those that had their financial details exposed in the security breach. This sounds like standard legal bluster and overkill, but the bank does seem more worried about damage to its reputation than any damage the security lapse could cause its clients.

HSBC defends its position by claiming that its actions after the lapse were within the scope of the country's laws. And it did notify the Office of the Federal Privacy Commissioner (which subsequently did nothing). But rather than sending its legal team after the journalist for reporting that its customers are unhappy, I think it would be better off expending some resources in understanding what its customers expect in such situations, and behaving accordingly.

Comments: (0)

Elton Cane

Elton Cane

Digital product delivery

News Corp Australia

Member since

16 Feb 2007



Blog posts




More from Elton

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all