The Solicitor - The FindLaw UK Life, Family and Workplace Law Blog

Zurich Insurance pay record fine for losing 46,000 customers' personal data

| No TrackBacks

Zuirch Insurance incurred the wrath of the Financial Services Authority this week as it was ordered to pay a £2m fine for losing the person information of 46,000 customers, including identity details, bank and credit card information and details about insured assets and security arrangements.

The fine is the largest ever imposed by the FSA on an individual firm.

Zurich lost the data in 2008 after its UK division outsourced some of its work to South Africa. The data was stored on an unencrypted back-up tape during a routine transfer to a data storage centre.

FSA slated Zurich for failing to establish 'proper reporting lines' as a result of which the UK company did not realise the data was missing until the second half of 2009.

As yet, there is no evidence that the data has been compromised or misused. But the FSA has warned that the loss could lead to serious financial detriment for customers, even exposing them to the risk of burglary.

Margaret Cole, the FSA's director of enforcement and financial crime, said: "Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss until a year later.

"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."

Zurich UK had failed to take reasonable care to ensure it could effectively manage the risks relating to the security of customer data following the outsourcing, she added. The company also failed to ensure it could prevent the lost data being used for financial crime.

Stephen Lewis, the chief executive of Zurich Insurance PLC, acknowledged that the incident was "unacceptable". He said the company commissioned a review of its data security systems and procedures by KPMG following the data loss. He added: "We are appointing a dedicated information security officer to provide assurance that appropriate measures are in place and that they will continue to be effective. We believe our customers can be confident that we are doing everything we can to keep their data secure and protected."

Related links:

No TrackBacks

TrackBack URL: http://blogs.findlaw.co.uk/mt-bin/mt-tb.cgi/48380