An anonymous reader writes: The UK Financial Services Authority (FSA) has imposed a fine of nearly £1m on the Nationwide — the largest building society in the country — because of poor controls over data on a laptop that was stolen from an employee's home. The laptop contained data on 11 million customers, but the Nationwide didn't take any action for 3 weeks. There is no evidence that the confidential data was actually used to disadvantage customers.
According to the FSA, the Nationwide: failed adequately to assess the risks in relation to the security of customer information; had procedures in relation to information security which failed adequately and effectively to manage the risks it faced; failed to implement adequate training and monitoring to ensure that its information security procedures were disseminated and understood by staff; and failed to implement adequate controls to mitigate information security risks, to ensure that employees followed its procedures, and to ensure that it provided an appropriate level of information security.
How many other businesses meet the standards of information security excellence demanded by the FSA?