Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Retail banking

Group

Information Security
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

HSBC Australia shoots the messenger

Banks and their customers have very different ideas about what constitutes "sensitive data", and what communication should take place if data security is compromised. And one bank in particular has an interesting approach to managing the media fall-out when such a lapse occurs.  

Over the past 6 weeks, a journalist at Computerworld Australia has written several stories covering a breach of security policy by an employee of HSBC Australia who left a file containing customer information on a train. Now she says she has recieved letters threatening legal action from the bank.

The journalist had contacted several of the customers whose data (including account details, property information, mortgage documents and photocopies of deposit cheques) was exposed. In her second story about the affair she reported the customers' outrage that their bank didn't think it necessary to let them know their data was involved in the incident.

Australia, unlike some other places (notably California), doesn't have any legislation that requires banks to notify customers if their data is exposed. But customers apparently expect this as a matter of courtesy.

In its letters to the journalist, HSBC claimed that she had breached the Privacy Act by sighting the missing documents first hand. It also threatened to "seek damages" if she contacted any of their customers, especially those that had their financial details exposed in the security breach. This sounds like standard legal bluster and overkill, but the bank does seem more worried about damage to its reputation than any damage the security lapse could cause its clients.

HSBC defends its position by claiming that its actions after the lapse were within the scope of the country's laws. And it did notify the Office of the Federal Privacy Commissioner (which subsequently did nothing). But rather than sending its legal team after the journalist for reporting that its customers are unhappy, I think it would be better off expending some resources in understanding what its customers expect in such situations, and behaving accordingly.
4614

Channels

Security Retail banking

Group

Information Security
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion
Elton Cane

Elton Cane

Digital product delivery

News Corp Australia

Member since

16 Feb 2007

Location

Brisbane

Blog posts

116

Comments

54

More from Elton

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all
Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more