Zurich Insurance's FSA fine should act as a warning on the importance of protecting sensitive information

News by Dan Raywood

Following the £2.27 million fine issued yesterday to Zurich Insurance for the loss of personal data, security experts have claimed it highlights the difficulties of data transfer and that systems need to mature.

Following the £2.27 million fine issued yesterday to Zurich Insurance for the loss of personal data, security experts have claimed it highlights the difficulties of data transfer and that systems need to mature.

John Redeyoff, operations director at NCC Group, claimed that the data loss highlights the difficulties of managing information security in an increasingly outsourced world.

He said: “Whilst businesses outsource key processes, such as call centres or back-office processing, and technology services, such as data centre provision, they cannot outsource the risk. The businesses still own the risk and, as such, they are accountable to statutory bodies such as the FSA, and to their customers.

“In addition, if an organisation is outsourcing services, it means that data is being passed between different organisations, and in the case of Zurich, between countries. This increases the risk of data loss further.

“Outsourcing does have its advantages but companies need to protect themselves when using third parties. Building information security into third party contracts can help. Though while this may allow the business to reclaim damages in the event of data loss, it does not take into account reputational damage that can often come at a higher price. Carrying out regular supplier audits is another security provision that can safeguard against data loss, though it must be ensured that continual auditing is not overly time intensive.”

Stuart Feargrieve, MD of Axway UK, claimed that there are two issues in this case, that the data was lost but that Zurich did not realise until a year later. He said: “A holistic approach to data security is key as it not only ensures governance and regulatory compliance, but also monitors business processes to protect against undiscovered data loss.

“The FSA fine highlights the challenges organisations are facing when trying to address the issue of data loss prevention. The main reason is that once you consider all the ways data can leak, most organisations begin to resemble Swiss cheese.

“The bottom line is that protecting customer data at the outset is far less costly than dealing with a highlighted publicised security breach. In the financial services sector, the customer is king, so a breach like this chips away at trust, loyalty and ultimately revenue as customers start to vote with their feet.”

Jackie Groves, UK head of data protection at Sophos, said that the fine should act as a reminder that companies need to take data loss seriously as policy and procedures need to grow up, alongside technology, to avoid embarrassing data breaches.

Groves said: “The news is a sharp reminder to other businesses and public sector organisations that they must behave more responsibly with the public's data or face the consequences. This huge financial slap on the wrists sends a very clear message that businesses must take data protection seriously and act now to put a solution in place before a data breach takes place. Sophos believes such steps are vital to ensure the worst breaches of the Data Protection Act are punished and protected against.”

Mark Evans, director at IT service provider Imerja, agreed with Groves, claiming that despite massive media attention and several government warnings on data loss, UK businesses still appear to be reactive rather than proactive in protecting sensitive information.

He said: “In this case reactions have certainly been extremely delayed. Businesses are ultimately always open to risk, so it is essential to have appropriate security systems and controls in place to reduce this threat. After all, it is better to do something than nothing - acting quickly on data loss will ultimately save businesses thousands if not millions in the long term.
“Preventative action should be put in place and is certainly preferable to the embarrassment, reputational damage and financial cost caused by data loss. All businesses, whether large or small, can introduce simple measures such as password protection and encryption, plus appropriate employee education campaigns to communicate the importance of data protection and the seriousness of data breaches.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews