The Financial Services Authority (FSA) has fined the UK branch of Zurich Insurance Plc ("Zurich UK") £2,275,000 following the loss of 46,000 customers' personal details.
The fine is in addition to an Undertaking in relation to data security which Zurich UK has given to the Information Commissioner.
To address the points raised by the FSA, firms should:
- Ensure personal data is only stored on removable media if appropriate encryption is in place;
- Ensure there are clear lines of accountability: ideally, with one person having overall responsibility for data security;
- Check their security incident reporting procedures – these should be clear and the triggers for reporting should be readily understood and consistent across policies;
- Raise staff awareness of the importance of data security;
- Check the firm understands what data is being processed where and by whom: Zurich SA did not realise it was handling UK data and no Zurich entity was aware of the final sub-contractor responsible for the data loss; and
- Re-assess security measures in outsourced arrangements – ensure there is a regular report on security and that checks are carried out in practice. This should be done irrespective of whether the provider is a group company or a third party.
Zurich UK outsourced the processing of certain customer data to Zurich Insurance Company South Africa Limited (Zurich SA), another member of the Zurich Financial Services Group (the "Group"). In August 2008 an unencrypted back-up tape containing UK customer data was lost whilst being transported from the data centre to a storage facility by a third party contractor. The tape contained personal data belonging to policy holders of Zurich Private Client, Zurich Special Risks and Zurich Business Insurance Direct, including bank account and credit card information, details of insured assets and the type of security arrangements used to protect them. Zurich UK only became aware of the data loss a year later when it was reported as part of a Group data privacy audit.
The FSA held that Zurich UK had failed to take reasonable care to ensure it had effective systems in place to manage the risks relating to security of customer data under the outsourcing agreement. They were found to have relied too heavily on an assumption that Zurich SA were complying with Group policies, instead of checking whether these policies were sufficient and were being implemented. Zurich UK itself was also considered not to have met Group policies that required confidential information to be protected by the most secure means, including encryption.
The FSA concluded that Zurich UK should have carried out initial due diligence and ongoing assessments of the risks associated with the outsourcing arrangement and that this lack of oversight may have contributed to the data loss.
The FSA also concluded that Zurich UK's management responsibilities and reporting lines were unclear. Both Compliance and Group IT had some input on data privacy and security; no-one had overall responsibility. The Group policies for security incidents were overlapping and not always consistent. As a result of this failure, the data loss was not known to Zurich UK until 12 months after the incident had taken place and this increased the risk that customer data might have been used for the purposes of financial crime, as customers whose data was lost in August 2008 were unable to take steps to protect their data until they were notified in October 2009.
In light of the above breaches, Zurich UK were found to be in contravention of Principle 3 of the FSA's Principles for Businesses and the Senior Management Arrangements, Systems and Controls sourcebook of the FSA Handbook at SYSC 3.1.1R and SYSC 3.2.6R. These breaches were found to constitute a material risk to the FSA's objectives of reducing financial crime and protecting customers and Zurich UK were therefore fined £2.275m, the largest fine handed out to a single company for data security failings according to the FSA. Previous FSA fines for security breaches have included:
- Nationwide, which was fined £980,000 after a laptop containing customer details was stolen from an employee's home (February 2007); and
- three HSBC companies were fined between £700,000 and £1.6 million each for similar failings (July 2009).
In deciding on an appropriate penalty, the FSA held there were a number of factors which made Zurich UK's failings particular serious. Amongst these were the large number of customers potentially affected, the fact that data had not been encrypted prior to transportation, the delay in the loss being discovered by Zurich UK and the fact that the failures came after a period of heightened awareness of financial crimes as an issue, following in particular a number of government initiatives, FSA reports and media coverage.
The FSA did note that since being alerted to the loss in August 2009, Zurich UK had been quick to inform the relevant authorities and the customers concerned, offering them a range of measures to minimise the risk of identity theft at no additional cost. They also commissioned external advisors to complete an investigation, the results of which were shared with the FSA and implemented a broad package of reforms to try to prevent any further losses. Zurich UK has stressed that there is no evidence to suggest the missing data has been compromised and the FSA are satisfied that the tape has been lost rather than stolen. Finally, as Zurich UK agreed to settle at an early stage of the FSA investigation the fine was reduced by 30% and would otherwise have totalled £3.25 million.