The fine, the heaviest yet for a data loss, came after the FSA uncovered failings in Zurich UK's systems and controls.
The FSA warned in 2008 that financial services firms were not checking their controls over outsourced data processing.
The FSA investigation followed the loss of 46 000 customers' personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. Zurich was unaware that it had lost the data for a year.
"The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary", the FSA said in a statement.
Zurich UK said it had seen no evidence to suggest that the lost data was compromised or misused.
Outsourced data
The FSA said Zurich UK had outsourced the processing of some of its general insurance customer data to its South African subsidiary.
"In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later", the FSA said.
"Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.
"The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime," it said.
The FSA's director of enforcement and financial crime, Margaret Cole, said Zurich UK had let down its customers badly. "Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."
As Zurich UK agreed to settle at an early stage of the investigation the firm qualified for a 30% discount. Without this, the firm would have had to pay £3.25m.
The FSA has previously fined HSBC, Nationwide and Norwich.
This story was first published by Computer Weekly
Comments
Nick_msc says:
24 August 2010
The announcement of Zurich’s fine from the FSA demonstrates that any organisation that either requires users to log on, or retains customer’s confidential information should ensure that they have suitable systems in place to prevent data leakage.
Not only have Zurich been fined a large amount of money, but they have potentially damaged their reputation far beyond this charge. It is irrelevant that the information, according to Zurich, was not misused, the point is it should never have been leaked. There are services available which prevent such leakages, and industries such as banking in particular should have the appropriate precautions in place. As a Managed Security Services company (www.msc247.com), we work with a number of the UK’s leading Building Societies to ensure that their customers’ information is wholly protected.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.