Zurich fined £2.3m by FSA over loss of back-up tape

Out-Law News | 25 Aug 2010 | 10:10 am | 3 min. read

The Financial Services Authority (FSA) has fined Zurich Insurance £2,275,000 after a back-up tape containing unencrypted personal details on 46,000 policy holders went missing in transit. The FSA said Zurich had inadequate systems and controls in place.

The Financial Services Authority (FSA) has fined Zurich Insurance £2,275,000 after a back-up tape containing unencrypted personal details on 46,000 policy holders went missing in transit. The FSA said Zurich had inadequate systems and controls in place.

The fine is the highest levied to date on a single firm for data security failings, according to the UK regulator.

Zurich UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA). The FSA reported that in August 2008, an unencrypted back-up tape was lost during a routine transfer from a data centre in South Africa to a third party data storage facility.

The tape was lost by a subcontractor engaged by Zurich SA. The FSA found that the subcontractor had been engaged without Zurich UK's written consent.

The missing tape included identity details and in some cases bank account and credit card information. Zurich UK did not learn of the incident until a year later.

The FSA said the loss could have led to serious financial detriment for customers and exposed them to the risk of burglary. It found that the insurer had failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement. The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.

In particular, the FSA said:

  • Zurich UK did not carry out an ongoing assessment of the risks connected with the outsourcing arrangement in that it failed to carry out adequate due diligence on the data security procedures used by Zurich SA and its subcontractors.
  • Zurich UK did not obtain sufficient management information from Zurich SA to enable Zurich UK to identify, measure, manage and control data security and financial crime risks.
  • Zurich UK considered that it was entitled to rely on Zurich SA being in compliance with Zurich Group policies, in particular a policy requiring appropriate security measures, including encryption of confidential data. However, Zurich UK did not adequately consider whether this reliance on Group policies was sufficient and did not determine for itself whether appropriate data security policies had been adequately implemented by Zurich SA.
  • There was a failure to put in place proper reporting lines between Zurich SA and Zurich UK.
  • There was a lack of clarity within Zurich UK in relation to the functional responsibility for providing assurance to management that data security issues were being appropriately identified and managed. Various members of senior management had responsibility for data security issues, but there was no single data security manager with overall responsibility.

The FSA found that Zurich UK had failed in its duties under Principle 3 of the FSA's Principles for Businesses. Principle 3 states: "A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems."

It also found breaches of two of the rules of the Senior Management Arrangements, Systems and Controls sourcebook, known as SYSC.

The FSA said that Zurich UK had a duty under rule SYSC 3.1.1R to take reasonable care to establish and maintain such systems and controls as are appropriate to its business; and under  SYSC 3.2.6R to take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that Zurich UK might be used to further financial crime.

Margaret Cole, the FSA’s director of enforcement and financial crime, said other firms should look at the details of the case and learn from Zurich UK's mistakes.

"[Zurich UK] failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA," said Cole. "To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."

The FSA noted that Zurich UK has seen no evidence to suggest that the personal data was compromised or misused. It said that Zurich UK notified affected customers and offered a range of measures to minimise their risk of identity theft, all of which Zurich UK offered to pay for. Zurich UK also notified the Information Commissioner's Office of the data loss and subsequently agreed to sign an undertaking in respect of its breach of the Data Protection Act 1998.

Because the firm agreed to settle at an early stage of the investigation it qualified for a 30% discount. Without this discount the firm would have been fined £3.25 million.