RSS Alerts

Share

More services

Related Links

Related Stories

  • Industry prepares for new ICO penalties starting next month
    The IT security industry - and its customers - are starting to prepare for the introduction of new and stiff penalties for organisations that allow data to be stolen or leak, and could reasonably be said to be aware of the risk.
  • ISACA welcomes strengthening of UK penalties on data breaches
    ISACA, the not-for profit international association of 86 000 IT security, audit and governance professionals, has welcomed news that the UK government has beefed up the penalties the Information Commissioner's Office (ICO) can impose on errant companies causing major data breaches.
  • ISACA backs power increase for Information Commissioner
    ISACA, the not-for-profit organisation that seeks to encourage best practice in the IT security industry, has given the `thumbs up' to plans to significantly increase the powers of the Information Commissioner's Office (ICO) later this year.
  • ICO asks UK to criminalise severe data breaches
    The UK information commissioner’s office (ICO) has asked the government to make serious breaches of the Data Protection Act a criminal offence, rather than attracting fines as at present.
  • US standards drive Canadian information security
    An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to information security compliance. Robin Arnfield looks at how US standards are driving the Canadian information security marketplace

Top 5 Stories

News

46 000 reasons for the ICO to slap the wrist of Zurich Insurance

25 March 2010

As expected, Zurich Insurance has been found to be in breach of the Data Protection Act after reporting the loss of an unencrypted backup tape that contained the personal financial data on 46 000 policyholders, as well as another 1800 people.

The Information Commissioner's Office (ICO) says that the data was lost by Zurich Insurance South Africa during a routine transfer to a data storage centre in South Africa in August of 2008.

The incident was not reported to Zurich Insurance's headquarters for over a year, according to the ICO, which says that an internal investigation revealed a number of inadequately managed IT security procedures at the company's operations centre.

As a result of the investigation, Stephen Lewis, UK branch manger of Zurich Insurance, has signed an undertaking with the ICO, pledging that his company will ensure that relevant data security procedures – including encryption systems – are in place before data is moved.

The insurer has also agreed to monitor and promptly report any data security weaknesses or breaches, and ensure that staff plus any external contractors are made aware of security procedures.

Sally-Anne Poole, head of enforcement and investigations at the ICO, said that it vital that organisations ensure that effective safeguards are in place to protect personal information.

"Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers' trust and confidence", she said.

Chris McIntosh, CEO of data encryption expert Stonewood said that your have to wonder why organisations have not yet realised that if they are moving sensitive data around it has to be encrypted.

"After all the incidents we have had in the last few years, you would have thought people would have learned", he said.

"However, its good to see the ICO becoming more strict and making these rulings as it highlights the need for organisations to ensure that the security of the data they hold is airtight at every single step in that data's lifecycle", he added.

According to McIntosh, this goes beyond ensuring that company laptops are encrypted and that data is not transferred onto portable devices.

"If a storage device, whether a PC hard drive, a USB stick or a backup tape, could hold personal data at any point, then that device needs to be as secure as possible. This means using encryption, and implementing policies to make any loss or security breach as difficult and as inconsequential as possible", he said.

"This is especially important when operating in regions such as South Africa which, unfortunately, has a reputation for data theft and fraud", he added.

This article is featured in:
Compliance and Policy  • Data Loss

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012