The Zurich Insurance £2.27M fine has shed light on the challenges faced when transferring data between global offices.
The Financial Services Authority (FSA), who levied the fine, said that the incident occurred when Zurich outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA), and that an unencrypted backup tape was lost during a routine transfer to a data storage centre. Also, as there were no proper reporting lines in place, Zurich UK did not learn of the incident until a year later.
Talking to SC Magazine, Hugo Harber, director of convergence and network strategy at managed services provider Star, claimed that he was shocked that Zurich did not encrypt its backup data and that the security of data was not considered.
He said: “I am not criticising Zurich as this could have happened to any big business, but how many businesses have not understood the importance of it? There is also the storage of data in transmission as this is a critical point for the business.
“From one perspective this is personal data and it details who the customers were. It is much more serious these days as names can be transmitted with an SLA. This is a very mature market.”
He also said that another interesting thing is the reporting issue, as even though the business is based in the UK and the loss occurred abroad, it does not matter where you ship in the world, you are still covered by the FSA regulation.
“There are still a lot of systems in shipping data offshore, and the FSA has made its case for data backup,” he said.
Asked if this incident will raise awareness of secure backup, Harber said: “I hope so, I find that when we talk to our customers about data management there is a whole lot of things that they don't consider. They don't think about where they put it so security, people don't want to talk about it, as it is a headache.
“It is difficult to make a request to the board, so we need fines like this for the board to make a conscious decision to invest in the security of data. Every business has a duty of care to their customers, so we find customers have issues around what to do with it as they don't know what they have and where it is kept.”
Commenting, Edy Almer, VP of marketing at Safend, claimed that the news highlights not only the importance of effective management processes, but also the financial and reputational damage of failing to ensure that these are enforced.
He said: “The incident has highlighted a failing in outsourcing arrangements that had been made. The fact that, as far as we know, the back-up tapes on to which the data was transferred were unencrypted - and that the loss of data went unknown for a year - shows a massive flaw in control and processes.
“Encryption would have been a safe harbour had it been used. Had Zurich encrypted data transfers, securely transferred and logged it, and had a solid DLP system in place, with good auditable records, the problem could have been avoided.
“The penalties for data loss are getting tougher, and it's simply not worth the risk of saving a few hundreds of thousands of pounds, when fines into the millions can be levied. Encrypted secure logged transfers over DVD or secure web or any other way would have avoided the problem.
“Organisations, across all industry sectors, need to remember that, whether sensitive data is in transit or, at rest, it needs to be properly stored, secured and encrypted to prevent a loss of this kind. The goal should be to invest in data protection now, to avoid paying more later.”
Harber concluded by insisting once again that he did not blame Zurich, as he believed that their operations in the UK are 'watertight', but the problems lie further down the chain.
Regardless of who is to blame, the fact that this has raised awareness of so many issues is why it has remained newsworthy. As Harber said, companies may use this to raise concern at board level to ensure that they are not the next in the headlines for similar reasons, and that may be the point of the fine from the FSA in the first instance.