Financial Conduct Authority  

FCA taken to complaints commissioner over data breach

FCA taken to complaints commissioner over data breach

The Financial Conduct Authority has escaped a compensation payout in a claim brought by a consumer whose details were released as part of a data breach at the regulator last year. 

In a decision published this month the Complaints Commissioner sided with the City watchdog against the complainant who attempted to claim compensation for the "distress" of the data breach at the FCA in November 2019. 

The incident saw the regulator mistakenly publish on its website the details of individuals who had made a complaint to the FCA between January 2018 and July 2019.  

In some instances these confidential details included names, addresses, telephone numbers and also the nature of the complaint. 

The FCA admitted the breach in February this year and confirmed it had referred itself to the Information Commissioner’s Office over the incident. 

In the complaint, which was escalated to the Complaints Commissioner, the consumer claimed that as a result of the breach they had since received scam emails and phone calls. 

Whilst commissioner Anthony Townsend agreed the data breach was "clearly very regrettable", he said the FCA had since put in place additional safeguards to prevent a recurrence.

He said: "I agree with the FCA that the information about you which was disclosed was very limited – it was your forename and surname, plus a very general description of your complaint which gave no personal details.

"There is no evidence that the information has been misused."

Mr Townsend said the FCA's apology for the data breach and the way in which the consumer's complaint had been handled, was sufficient without any monetary compensation, though it had been delayed.

Data rules

The watchdog has been keen to emphasise the importance of data sharing and privacy rules in recent years, teaming up with the ICO and the Financial Services Compensation Scheme in February to warn authorised firms of the importance of protecting client data. 

The move saw the FCA ready itself for a fresh crackdown on the industry as it warned some authorised firms and insolvency practitioners had attempted to unlawfully sell client data to claims management companies.

Jonathan Greenstein, director at compliance support firm Complyport, said: "Whilst a GDPR breach could have led to a fine of up to either €20,000,000 or 4 per cent of annual global turnover for any of the firms regulated by the FCA, it is key to look at this in more detail.

"Based on information made available regarding the breach, in many cases, the extent of the information seems to be only the name of the person making the complaint.

"This alone would make it hard to identify a person. In the instances where further personal data was leaked, the FCA appears to have contacted each individual personally.

"Finally, it appears that there was no critical data such as financial data, card data or identity information in this breach."

Mr Greenstein added: "It should also be noted that the FCA appears to have reacted as per the rules prescribed to them, reporting itself to the ICO within 24 hours and removing the information as soon as it became aware."