Many financial services companies are still doing
Jeremy Clarkson did not take the threat of ID theft seriously till stung
too little to protect their customers' personal
details, according to reports by three organisations this week.
The Financial Services Authority says many firms do not take seriously the
threat of data they hold being
stolen and used for crimes like identity theft.
And the Information Commissioner's Office has revealed financial firms were involved in half of all recent serious data breaches affecting companies in the UK.
Do you think companies are taking enough care of our details?
Perhaps a company lost your personal data - were you compensated or reassured?
Or maybe you are responsible for keeping customers' private information secure.
Are you an IT professional with experience of encryption?
We asked for your comments - a selection of which are below. The debate is now closed.
There is no excuse for not protecting customer data. The tools and technology are available to encrypt data automatically so that it is invisible to staff working with the data. This means that it doesn't impede work and ensures that people don't forget to encrypt files. More often than not it comes down to budget. Companies have been reluctant to invest the money in protecting data, as until recently the business benefits have not been clear. A security breach along the lines of those seen in the press recently significantly harms an organisation's reputation.
Dr. Bernard Parsons, London
I have just been notified that HSBC have posted out a disc weeks ago, and my details were on the disc, and it has gone "missing". I did read the press close to when it happened, and it surprised me that HSBC had not been in touch. I wonder; if the press hadn't got hold of the information, would HSBC have contacted me at all? I trust HSBC to keep my information safe - and pay them extremely well to keep my information safe. I think it's even more important for HSBC to keep my details safe than my doctor. Obviously in light of this huge mishap, I have really lost confidence in my bank - and it isn't just my bank; it's my insurer, my retirement provider and executor.
It would certainly sharpen up the practices of organisations if the people whose details are compromised could claim compensation from the offending company. Surely, personal data should be carefully protected by the holder(s), and its loss treated as gross negligence on their part.
Mr A. Cooper, Teesside
Speaking for a UK digital forensic company we are too often called in after an incident has taken place because many organisations are failing to have adequate protection from all threats that faces a business. Today's threats range from external hackers to the internal threat that has only just recently been labelled, however it has been around since the start of human life. Internal threats can range from malicious to simple user mistakes and companies need appropriate measures in place to ensure their data is protected at all levels. For example, enforce policies to protect data, encrypt data automatically when leaving the organisation, produce extensive audit trails and educate the user much more. Without turning this into a sales pitch I simply want to point out that there are systems out there to assist and prevent data loss so organisations have no excuse. They simply need to research new systems and procedures. I personally feel the media also need to identify these systems rather than just notify the public on the issues and results of data loss. If appropriate media light was given to such products then organizations would be aware of these high level information security systems.
There needs to be a simple, but upheaving change in the way data is kept. Remove it from central databases and let individuals keep it themselves. How? On a smartcard. Technology today would allow everyone to keep all of their data (bank, health, ID, licences, etc) on a single card. When contacting any authority, simply present your card to enable any transaction. This is what the government ID card scheme should be about.
Antony Watts, Palma, Mallorca
I recently bought a Sudoku book from a national newspaper and hence told them my details. At no stage did I agree to my data being used externally, but they still included it on a CD and sold it to a general insurance company. When the salesman called me, he was very reasonable and rightly unhappy about the data. After all, he thought he was calling people who wanted to be phoned. There's no way of keeping our data safe when it is handed around in such a cavalier way. Our data should be our own intellectual property and only passed to third parties if we agree in writing.
Chris Grey, Guildford
I'm an IT expert. The banks should have a customer password that identifies them to their customers when they call or use their website. That way customers can be confident they are actually talking to their bank. The cost of this would be fairly minimal and would stop some telephone and web fraud overnight.
Companies should not be trusted with our data, citizens should assume responsibility for it themselves. Aggressive enforcement of data protection laws would improve matters but does not defend against all mass repositories of sensitive data being the natural target of the criminal. No security system is perfect. These databases will be hacked, sooner rather than later. A better defence model is to not store the data centrally. If an individual's security is compromised then only one person's data is exposed. It is hardly worth the effort of cracking 25 million systems. Secure information pertaining to a customer's dealings with a company should be stored on the hard drive of the customer's own computer. Storage and transport can be encrypted and secure home systems can be made commonplace.
Steve Smethurst, Manchester
I feel that my mortgage lender is being quite irresponsible. When there is an interest rate change, they send me a letter to inform me of this, stating how much my new payments will be, which also states when it will be collected from my bank account, and goes on to give my sort code and account number. Surely it is not necessary to send all this information through the post. Anyone intercepting this letter will get my full name and address, mortgage account number, bank account number and sort code (identifying my branch). They could at least * out all but the last three digits of my account number, as is common practice on most shop till receipts for card transactions.
C Reeve, Lincoln
I recently received bank statements - the envelopes were not properly sealed so that the contents were open to all to view. When we are being encouraged to keep our data secure why do the banks send sensitive data through the post without appropriate attention to safeguarding our data? When I reported the facts to the savings bank I received financial compensation - perhaps more people should voice their dissatisfaction with the poor service we receive.
E Bradford, Newcastle upon Tyne
Has no one noticed the Kafkaesque absurdity of the million pound fine levied on Nationwide by the FSA? Nationwide is a mutual, it is owned by its customers, (I am one). My data was presumably stolen too. So the mutual is fined a million. Who loses? We, the members do. Not the directors. Why should the victims of a crime be punished for it?
Tony Peterson, Kendal
OK, so the regulator is going to get tough with companies which lose our data. what does he propose to do about government departments who do the same thing?
Derek Winslow, Weston-super-Mare
Sorry... Have I missed something, but shouldn't having data protection systems and encryption functions be a pre-requisite to doing business? Isn't the firm that doesn't have this in place actually committing an offence... i.e. by promising protection but failing to secure that? Part of the terms of business of any bank or financial institution is assurance on these matters. If that is contravened, that in itself is criminal in my book and I thought, that of the legislators? What is going on? This is criminal activity and yet again the FSA seems only to be interested in the cases that come to the fore because they are "found out". The focus is on punishment if data is lost but if you don't punish for lack of protection then how can we ever know what is lost? What has been cleverly stolen or copied through IT hacking, etc?
Identity theft does not exist. Surely what really happens is that banks give loans or pay funds to someone who is not the real customer. By calling it "identity theft" they are making it our problem to hide the fact that what has actually happened is that they have made an error.
A J Maple
The comments we publish are not necessarily the views of the BBC but will reflect the balance of views we have received. It is helpful if contributors state if they work for any organisation relevant to an issue discussed. Readers should form their own views on whether messages published represent undeclared interests, or views prompted by a common source.