CASE STUDIES

Post Office

The Post Office Scandal involved a computer system implemented by Fujitsu, a third-party IT company contracted by the UK's Post Office. The new system was intended to streamline subpostmasters' accounts but had inadequate records-keeping practices.

Fujitsu allegedly made unannounced and undocumented corrective changes to accounting ledgers without notifying the Post Office or its subpostmasters. These changes caused financial discrepancies in subpostmasters' accounts, making it difficult for them to reconcile their transactions. When these errors were discovered, subpostmasters found that Fujitsu had modified the system's functionality without proper documentation or knowledge of the Post Office and its subpostmasters.

By not having a continuous demonstration of unchanged records, the lack of transparency and oversight over account transactions left subpostmasters unable to rectify errors and caused financial losses. The scandal ultimately resulted in legal cases against both the Post Office and Fujitsu for their inadequate record-keeping policies and handling of customer records.

Finance - Click to Expand

Barclays Bank was fined $3.75m by the Financial Industry Regulatory Authority (FINRA) for failings in their record-keeping policies and procedures between 2002 and 2012.

https://www.bbc.co.uk/news/business-25525621 

JPMorgan was fined $200m in 2015 by FINRA and the SEC after admitting that it failed to adequately oversee employee access to customer records, resulting in a data breach.

https://www.reuters.com/business/jpmorgan-securities-pay-125-mln-settle-sec-charges-record-keeping-lapses-2021-12-17/ 

UBS was fined $125m by the Securities and Exchange Commission (SEC) for widespread and longstanding failures to maintain and preserve electronic communications.

https://www.sec.gov/newsroom/press-releases/2022-174 

The French Prudential Supervision and Resolution Authority (ACPR) fined Generali Vie fined 5m for its deficiencies in record-keeping systems, affecting both organizational processes and due diligence obligations. 


https://acpr.banque-france.fr/sites/default/files/medias/decision-2014-07.pdf 

Deutsche Bank settled for $227m with the FCA for misconduct related to the London Interbank Offered Rate (LIBOR) and Euro Interbank Offered Rate (EURIBOR). The bank provided inaccurate information about whether other records existed.

https://www.fca.org.uk/news/press-releases/deutsche-bank-fined-%C2%A3227-million-financial-conduct-authority-libor-and-euribor 

The OCC assessed a $500 million civil money penalty against Wells Fargo. The bank was ordered to make restitution to customers harmed by unsafe or unsound practices and develop an effective enterprise-wide compliance risk management program.

https://occ.gov/static/enforcement-actions/ea2018-026.pdf 

Standard Chartered Bank was fined $327 million by U.S. regulators for violating anti-money laundering laws. The bank failed to maintain accurate records related to transactions with Iranian clients, which led to potential money laundering activities. 


https://www.aol.com/news/2012-12-10-327-million-fine-for-standard-chartered-on-iranian-charges.html 

Commerzbank faced a fine of €1.45m (approximately $1.55m) imposed by the German Federal Financial Supervisory Authority (BaFin), who found deficiencies in Commerzbank’s data retention policy and ineffective record-keeping systems.

https://www.moneylaunderingbulletin.com/legalandregulatory/cases/commerzbank-fined-1.45m-in-germany-for-cdd-breaches--1.htm

Technology

Google was fined €50m by the French National Data Protection Authority  (CNIL) for lacking transparency and consent regarding its ad-tracking practices and record-keeping policies.

 
https://www.bbc.co.uk/news/technology-46944696 

Facebook faced multiple fines due to data breaches and privacy violations, such as in 2018 when it was fined £500k  ($645k) by the ICO for the Cambridge Analytica scandal, which involved improper handling of user records.


https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal 

In 2021, the Luxembourg National Commission for Data Protection issued a fine of $886.6 million (£636 million) against Amazon for allegedly breaking European Union data protection laws.

https://www.bbc.co.uk/news/business-58024116 

In 2023, the Federal Trade Commission (FTC) required Microsoft to pay $20 million for violating the Children’s Online Privacy Protection Act (COPPA). The charges stemmed from collecting personal information from children who signed up for its Xbox gaming system without parental consent and illegally retaining children’s personal data.

https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information 

 LinkedIn was fined £1.5m  ($1.9m) in 2018 by the ICO for failing to meet its data protection obligations when a data breach exposed the personal information of approximately 4.5 million users due to improper handling and record-keeping practices.


https://ico.org.uk/for-organisations/advice-for-small-organisations/understanding-and-assessing-risk-in-personal-data-breaches/ 

 Twitter agreed to pay $110m to settle FTC charges related to data privacy violations involving user records, such as failing to secure customer information properly. 

The company also failed to adequately identify and address the risks associated with its data retention policies.

https://www.nbcnews.com/tech/security/twitter-dms-data-delete-rcna57031 

 Uber was fined £83.3m ($107m) in 2018 by 50 U.S. States and D.C., settling allegations that it concealed cyberattacks, failing to adequately manage and retain records of such attacks, and for placing drivers' personal information at risk.

https://www.straitstimes.com/world/uber-says-cyber-breach-compromised-data-of-57-million-users-drivers 

Intel agreed to pay $9m to settle SEC charges related to improper handling and retention of confidential corporate information by its former CEO, Brian Krzanich, who left the company in 2018.

The settlement also covered inadequate record-keeping practices.

https://finance.yahoo.com/news/details-emerge-office-affair-led-155716579.html 

Healthcare

Procter & Gamble agreed to pay $122m to resolve a SEC investigation into improper product recording and accounting practices that led to inaccuracies in financial statements. 

https://www.sec.gov/Archives/edgar/data/80424/000008042424000083/pg-20240630.htm 

UnitedHealth Group agreed to pay  $15m to settle a lawsuit alleging that it violated HIPAA by failing to secure patients' electronic health records, resulting in a data breach. 

https://www.kare11.com/article/news/health/lawsuit-filed-on-behalf-of-millions-of-patients-impacted-by-unitedhealth-group-data-breach/89-c77b8a11-dcef-47dd-afc6-99ba63113a7b 

Anthem paid  $16 million to settle with the FTC and multiple states over allegations that it failed to adequately secure patient data from a massive data breach in 2015, which exposed customer records.

https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-us-health-data-breach 

St. Joseph Health System paid $2m to settle with the HHS and OCR over allegations that they violated HIPAA rules related to the electronic health records system's security and privacy by failing to conduct an accurate risk assessment and not maintaining adequate record-keeping practices.

https://www.healthcareitnews.com/news/st-joseph-health-pay-2-million-hipaa-violations 

Legal / Human Resources

Lloyds Bank Legal Services was fined £2m by the SRA (now the Solicitors Regulation Authority) for failing to adequately maintain its file recording system and identify missing documentation, which involved inadequate record-keeping policies in place.

https://www.jonathonbray.com/why-a-solicitors-client-account-cannot-be-used-as-a-banking-facility-and-how-to-stay-safe/ 

Hays Recruitment paid £1.7m to settle with the ICO over allegations that it failed to meet data protection requirements after a data breach exposed the personal information of approximately 4 million users due to inadequate record-keeping practices.


https://www.hayesconnor.co.uk/news-resources/news/the-cost-of-a-data-breach-over-15-5-million-gdpr-fines-paid-out-by-uk-businesses-between-2023-24/