Zurich hit with £2.27 million data loss fine


Zurich Insurance's UK branch has been fined 2.275 million by the Financial Services Authority (FSA) following the loss of 46,000 customers' data.

Bank account and credit card information was lost by Zurich, along with identity details and information on insured assets and security arrangements.

The incident occurred in 2008 when the company's UK branch outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA).

An unencrypted back-up tape was misplaced by Zurich SA during a standard transfer to a data centre.

Zurich UK did not learn about the loss until a year later as there were not any adequate reporting lines in place, the FSA said.

The regulatory body concluded Zurich UK did not have effective systems and controls in place to manage the risks involved in protecting customer data in relation to the outsourcing deal.

Furthermore, Zurich did not have sufficient protection in place to ensure lost data would not be used for financial crime, the FSA claimed.

"Zurich UK let its customers down badly," said Margaret Cole, the FSA's director of enforcement and financial crime.

"It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."

Zurich's UK chief executive (CEO), Stephen Lewis, said: "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data."

He also confirmed Zurich UK would be hiring an information security officer to ensure protection measures are effective.

The fine is the biggest financial penalty levied on a single organisation ever in the UK for a data security issue.

Had the firm not agreed to settle at an early stage of the investigation, the fine would have been 3.25 million.

To date, Zurich has not seen any evidence to suggest the lost data was compromised or used for criminal activities.

A sufficient deterrent?

Earlier this year, the Information Commissioner's Office (ICO) made Zurich's Lewis sign an undertaking to ensure whenever back-up tapes were in transit, the right data security procedures, such as encryption, would be in place.

This was before the ICO was able to fine up to 500,000 for data breaches, but Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, claimed this case highlighted the limited powers of the ICO.

"It does throw into relief, yet again, the adequacy of the 500,000 penalty for the information commissioner, where the FSA has already shown that it needs something that is at least four-and-a-half times as large," Room told IT PRO.

"This case demonstrates once again that what we need is a more unified approach to security but within regulation."

Room, who is also a director of the Cyber Security Challenge UK, called into question how far the FSA fine will go in acting as a deterrent.

"I don't believe that this fine will act as a wake up call to the financial services industry. Nor do I believe that the financial services industry will resolve all its problems now that this fine has been published," he added.

"I think the FSA will need to scale up fines considerably before it becomes such a deterrent effect."

Room also suggested Zurich's reputation will not be irrevocably damaged by the data security failings.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.