The Financial Services Authority (FSA) has fined Zurich Insurance £2,275,000 after a back-up tape containing unencrypted personal details on 46,000 policy holders went missing in transit. The FSA said Zurich had inadequate systems and controls in place.
The fine is the highest levied to date on a single firm for data security failings, according to the UK regulator.
Zurich UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA). The FSA reported that in August 2008, an unencrypted back-up tape was lost during a routine transfer from a data centre in South Africa to a third party data storage facility.
The tape was lost by a subcontractor engaged by Zurich SA. The FSA found that the subcontractor had been engaged without Zurich UK's written consent.
The missing tape included identity details and in some cases bank account and credit card information. Zurich UK did not learn of the incident until a year later.
The FSA said the loss could have led to serious financial detriment for customers and exposed them to the risk of burglary. It found that the insurer had failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement. The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.
In particular, the FSA said:
The FSA found that Zurich UK had failed in its duties under Principle 3 of the FSA's Principles for Businesses. Principle 3 states: "A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems."
It also found breaches of two of the rules of the Senior Management Arrangements, Systems and Controls sourcebook, known as SYSC.
The FSA said that Zurich UK had a duty under rule SYSC 3.1.1R to take reasonable care to establish and maintain such systems and controls as are appropriate to its business; and under SYSC 3.2.6R to take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that Zurich UK might be used to further financial crime.
Margaret Cole, the FSA’s director of enforcement and financial crime, said other firms should look at the details of the case and learn from Zurich UK's mistakes.
"[Zurich UK] failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA," said Cole. "To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."
The FSA noted that Zurich UK has seen no evidence to suggest that the personal data was compromised or misused. It said that Zurich UK notified affected customers and offered a range of measures to minimise their risk of identity theft, all of which Zurich UK offered to pay for. Zurich UK also notified the Information Commissioner's Office of the data loss and subsequently agreed to sign an undertaking in respect of its breach of the Data Protection Act 1998.
Because the firm agreed to settle at an early stage of the investigation it qualified for a 30% discount. Without this discount the firm would have been fined £3.25 million.