Monetary Penalty for Bank of Scotland

August 5, 2013

The ICO has served the Bank of Scotland with a monetary penalty of £75,000 after customers’ account details were repeatedly faxed to the wrong recipients.

The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. The documents were faxed over a three-year period, with the first incident reported to the bank in February 2009 by a third-party organisation.

In total, at least 21 documents were sent to the third-party organisation during this time, with another member of the public receiving a further 10 misdirected faxes. Both parties had fax numbers that were one digit outside the intended recipient, which was a department within the bank that routinely uploaded documents onto the bank’s system.

Despite the company being informed of the problem on numerous occasions, the errors continued. The matter was eventually referred to the ICO by the third-party organisation, yet further mistakes were made even as the ICO was investigating the breaches.

Stephen Eckersley, Head of Enforcement at the ICO said:

‘The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines. To send a person’s financial records to the wrong fax number once is careless. To do so continually over a three year period, despite being aware of the problem, is unforgiveable and in clear breach of the Data Protection Act. Let us not forget that this information would have been all a criminal would ever need to carry out identity fraud. Today’s penalty reflects the seriousness of this case.’

View the Bank of Scotland monetary penalty notice (pdf) 

Laurence Eastham comments:

The amount of the penalty seems modest by comparison with some served in respect of one-off errors by individuals. Are we seeing the effect of the success of the Scottish Borders appeal?

My favourite among the mitigating factors listed by the ICO is the revelation that there is likely to be a significant impact on the reputation of the Bank of Scotland as a result of these security breaches. I am surprised by this as I had suspected that the reputation of the Bank of Scotland would stay just as high with most people despite such breaches – when you are bumping along the bottom, there is nowhere to fall.