In a heavyweight report (104 pages) “Data Security in Financial Services: Firms’ controls to prevent data loss by their employees and third-party suppliers” the FSA has warned its members to do more to protect personal data.
Highlighted right on the first page:
it is not appropriate for customer data to be taken offsite on laptops or other portable devices which are not encrypted.1 We may take enforcement action against firms that fail to encrypt customer data offsite.
Only may? Still, it’s a start.
I’ve only read the executive summary so far but it’s pretty damning on what happens in smaller and medium sized firm. The gap between policy and practise is also criticised, especially the general lack of a holistic approach to security which integrates non-IT controls .
As for the auditors that should be picking up on this:
Some firms’ compliance and audit staff lack the necessary understanding of the subject or technical expertise… the standard of small firms’ compliance checking – and their overall performance on data security – is very weak indeed.
These recommendations are relevant to just about every organisation: they all will store some personal information. Even the military.