Zurich Insurance Plc (UK) has been fined £2.275m by the FSA for data security failings. This is the highest fine levied to date on a single firm for such failings, and emphasises the importance of having adequate systems and controls in place to prevent the loss of customers’ confidential information.
Zurich UK outsourced various data processing functions to Zurich South Africa (ZICSA). On 11 August 2008, one of ZICSA’s subcontractors lost an unencrypted back-up tape during a routine transfer to a data storage centre. The tape contained personal information relating to 46,000 policy holders and 1,800 third parties including bank account, credit card and identity details. Deficiencies in the management of security procedures involving data tapes in South Africa potentially also affected a further 5,000 UK customers.
Zurich UK did not become aware of the data loss incident until 14 August 2009, when the incident was reported following a Group data privacy audit undertaken at ZICSA. Subsequent internal investigations revealed failings in the management of security procedures at ZICSA, and Zurich UK’s failings in managing the outsourcing arrangement and the associated risks.
Zurich UK were found to have breached the FSA’s Principle 3 by failing to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. Zurich UK also failed to take reasonable care to establish and maintain systems and controls that were appropriate to its business, and failed to take reasonable care to establish and maintain effective systems and controls to counter the risk that Zurich UK might be used to further financial crime.
In an accompanying press release, Margaret Cole, the FSA’s director of enforcement and financial crime, said that “Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later. Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”
Zurich qualified for a 30% discount on the fine for early settlement, which would otherwise have been £3.25m. The FSA has previously fined HSBC (£3m paid by three affiliated companies in 2009), Nationwide (£980k in 2007) and Norwich Union (£1.26m in 2007) for data loss.
We examined the risks of data loss and how to prevent it in our December 2009 Update which you can access here.