Zurich Insurance Data Loss ‘Beyond Unacceptable’

A data backup tape lost by Zurich Insurance on its way to South Africa contained the financial details of 46,000 policy holders

The Information Commissioner’s Office (ICO) has named and shamed Zurich Insurance for the loss of an unencrypted backup tape containing the financial personal information of around 46,000 policy holders by its sister company Zurich Insurance Company South Africa.

Although the data loss is though to have occurred on 11 August 2008, the sister company did not inform Zurich Insurance until more than a year later according to the ICO. The tape was lost during an apparent routine transfer to a data storage centre in South Africa.

The UK branch manager of Zurich Insurance Stephen Lewis has now signed an undertaking to improve the secure transfer of data in the future and use encryption where possible.

Commenting on the loss, ICO head of enforcement and investigations Sally-Anne Poole said that it is vital that organisatons ensure effective safeguards are in place to protect personal information. “Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence,” she said.

Poole urged any business that have suffered a data breach to report the incident as soon as possible. “I encourage all organisations to report any serious data security breaches to us so that the nauture of the breach or loss can be considered.”

Earlier this year the ICO warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their volition. Companies that fall foul of data breach laws risk a maximum fine of £500,000 under new powers granted to the ICO in January.

Also commenting on the Zurich Insurance incident, Chris McIntosh, chief executive of data encryption specialist Stonewood said that having strict data transfer policies was vital when sending information abroad – especially to countries with a questionable security record.

“This is especially important when operating in regions such as South Africa which, unfortunately, has a reputation for data theft and fraud,” he said. “Waiting a year, as Zurich’s sister company did on this occasion is quite frankly beyond unacceptable.”