Zurich Insurance Fined £2.28m For Data Loss

Zurich Insurance has been hit with a record fine of £2.28 million, after its sister company Zurich South Africa lost an unencrypted backup tape containing the financial personal information of around 46,000 policy holders.

The tape, which was lost during an apparent routine transfer to a data storage centre in South Africa in 2008, was not reported missing until more than a year later. The Financial Services Authority (FSA) said the security breach could have exposed customers to “serious financial detriment” – although there is no evidence of data being compromised.

The fine is the highest ever paid by a single UK company for a data security failing. However, the FSA noted that Zurich’s willingness to settle “at an early stage of the investigation” resulted in a 30 percent reduction in the fine, which would have amounted to £3.25 million.

“Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data,” said Margaret Cole, the FSA’s director of enforcement and financial crime. “Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”

Personal information

The data lost included identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. Affected customers were informed of the problem in October 2009.

“This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers’ data,” said Stephen Lewis, chief executive of Zurich UK in a statement. “Supported by KPMG, we therefore commissioned a comprehensive review of our data security systems and procedures and have taken a number of steps designed to enhance those procedures.”

The company is planning to appoint a dedicated Information Security Officer, to oversee data protection and ensure that appropriate measures are in place. “We believe our customers can be confident that we are doing everything we can to keep their data secure and protected,” Lewis added.

Zurich came under fire from the Information Commissioner’s Office (ICO) over the incident earlier this year. Commenting on the loss, ICO head of enforcement and investigations Sally-Anne Poole said that it is vital that organisations ensure effective safeguards are in place to protect personal information.

“Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence,” she said. “I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered.”

Data loss fines

Earlier this year the ICO warned that businesses that do not own up to data breaches will face tougher action than those that come forward of their volition. Companies that fall foul of data breach laws risk a maximum fine of £500,000 under new powers granted to the ICO in January.

However, the ICO has still issued no fines, despite naming and shaming a whole host of institutions and public service organisations that have been subject to data breach. In June, for example, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

“Why, in a digital economy, are businesses and government still using old fashioned physical means to transfer important data?” asked Tim Holyoake, security technologist at Software AG. “It is wholly negligent.  After countless examples of lost tapes, laptops and USB sticks it is high time that executives put a stop to this by switching to secure electronic data transfer.”

“This incident raises a much wider debate about organisations’ overall approach to data security,” he added. “Managers need to treat customer data with the same level of security as they do company cash. A bank wouldn’t take a year to notice missing money, so why is critical customer information being treated with a lower level of priority?  Because organisations are too myopic or lazy to impose mandatory policies and procedures to enforce only encrypted electronic transfer for sensitive information, so sending a USB stick is the easy option.”