Banks and their customers have very different ideas about what constitutes "sensitive data", and what communication should take place if data security is compromised. And one bank in particular has an interesting approach to managing the media fall-out when
such a lapse occurs.
Over the past 6 weeks, a journalist at Computerworld Australia has written several stories covering a breach of security policy by an employee of HSBC Australia who left a file containing customer information on a train. Now she says she
has recieved letters threatening legal action from the bank.
The journalist had contacted several of the customers whose data (including account details, property information, mortgage documents and photocopies of deposit cheques) was exposed. In her
second story about the affair she reported the customers' outrage that their bank didn't think it necessary to let them know their data was involved in the incident.
Australia, unlike some other places (notably California), doesn't have any legislation that requires banks to notify customers if their data is exposed. But customers apparently expect this as a matter of courtesy.
In its letters to the journalist, HSBC claimed that she had breached the Privacy Act by sighting the missing documents first hand. It also threatened to "seek damages" if she contacted any of their customers, especially those that had their financial details
exposed in the security breach. This sounds like standard legal bluster and overkill, but the bank does seem more worried about damage to its reputation than any damage the security lapse could cause its clients.
HSBC defends its position by claiming that its actions after the lapse were within the scope of the country's laws. And it did notify the Office of the Federal Privacy Commissioner (which subsequently did nothing). But rather than sending its legal team after
the journalist for reporting that its customers are unhappy, I think it would be better off expending some resources in understanding what its customers expect in such situations, and behaving accordingly.