recent work

Zurich Insurance has been fined more than £2m over the loss of 46,000 customers' personal details.

On Tuesday this week, the Financial Services Authority (FSA) imposed a fine of £2,275,000 on Zurich Insurance for losing a back up tape containing the personal details of 46,000 of their customers.  This fine is the largest fine that a single firm has received for data security failings and comes on the back of a year of changes and strengthening at the Information Commissioners’ Office (ICO).
Zurich outsourced some customer data processing to a South African subsidiary, Zurich SA, which in August 2008 lost an unencrypted back-up tape in transit. The affected customers were not told about the breach for a year.
“As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later,” the FSA noted in a statement, adding that Zurich UK’s willingness to settle “at an early stage” of the investigation led to a 30-percent reduction in the fine. It would otherwise have been £3.25m.
“Zurich UK let its customers down badly,” Margaret Cole, the FSA’s director of enforcement and financial crime, said in a statement. “It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later”.
“Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”

Comment
There are a number of failings that lead to this major loss of data which has not only cost Zurich financially, but also reputationally.  Most of the failings are failure in processes and it would seem that because Zurich did not have any kind of data governance management system, it has been running with a high level of risk of data loss in the business for some time and this one lost tape has been the catalyst for the breach.  Zurich say that there is no evidence that the lost data, which included personal details and bank account information, has been misused. But that’s not the point and in March, the ICO found the company guilty of breaching the Data Protection Act.
Zurich have now made changes to their internal procedures to reduce the risk of data loss which is good news.  We hope that this case makes other companies large and small sit up and think hard about whether they have assessed the data loss risks within their business.