Zurich Insurance has been hit with a fine of more than £2 million by the FSA following the loss of 46,000 personal details.
The Financial Services Authority (FSA) fined the UK branch of Zurich Insurance £2,275,000 for failing to have adequate systems and controls in place to prevent the loss of customers' confidential information. The fine is the highest levied to date on a single firm for data security failings. The incident was reported by SC Magazine last year.
The incident occurred when Zurich outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA). In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre and as there were no proper reporting lines in place, Zurich UK did not learn of the incident until a year later.
The FSA assessment stated that Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement. It also said that Zurich failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.
The lost details of policy holders include identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. Although Zurich UK said that it has seen no evidence to suggest that the personal data was compromised or misused, the FSA accused it of letting its customers down badly.
Margaret Cole, the FSA's director of enforcement and financial crime, said: “Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.
“Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”
Zurich UK agreed to a settlement at an early stage of the investigation, resulting in a 30 per cent discount. Without this discount the fine would have been £3.25 million.
Kevin Bocek, director of product marketing at IronKey, told SC Magazine that he thought the fine was in line with research on the cost of a data breach. He said: “This is another example of where business plans override the solutions of IT and it happens every day. This fine is inline with the Ponemon research on data breaches and those managers need to look at this and stop saying ‘it won't happen to me'.
“It is the same with the NHS, it is basic human nature but it does happen, but the good thing is that there are simple ways to address this but it takes time for processing to address this and we will hear about it again.
“Within all business processes there are day-in and day-out problems that need to be addressed, and we continue to create problems and it keeps on going back. I hope that IT managers will take the lead and use this to get the business attention.”
The ICO found Zurich to be in breach of the data protection act in March this year, with the UK branch manager signing an undertaking to ensure that where any future movement of back-up tapes is required, appropriate data security procedures including the use of encryption where appropriate, are in place.
A spokesperson for the Information Commissioner's Office (ICO) said: “The ICO has already taken regulatory action against Zurich Insurance in March this year. We used the powers which were available to us at the time; our powers to use monetary penalties only became available to us on the 6th April this year.”
Chris McIntosh, CEO of Stonewood, said: “After all the incidents reported in the last few years and the ICO continually pushing for increased powers to fine organisations, you would have thought people would have learned. Zurich's near £2.28 million fine is the largest we've seen for a single loss and should act as a wake up call.
“It's good to see organisations such as the FSA becoming more strict and making these rulings, as it highlights the need for organisations to ensure that data is always safe. This fine puts a stark fact into focus: if organisations are moving sensitive data around it has to be encrypted. It doesn't matter whether it is on a computer or a USB stick, or held by a third party, if you hold personal data you must eliminate the risk of it getting into the wrong hands.
“As the FSA has made clear, the issue with this incident is not just the loss itself, it is the tardiness with which it was eventually reported. This resulted in the personal data of a further 5,000 UK customers being threatened as security wasn't immediately tightened up following the initial loss. As well as securing data, organisations have to ensure that they report and react to any incidents swiftly. Waiting a year, as Zurich's sister company did on this occasion, is quite frankly beyond unacceptable.”