FSA hits Zurich Insurance with heaviest fine yet for data loss

The fine, the heaviest yet for a data loss, came after the FSA uncovered failings in Zurich UK's systems and controls.

The FSA warned in 2008 that financial services firms were not checking their controls over outsourced data processing.

The FSA investigation followed the loss of 46 000 customers' personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. Zurich was unaware that it had lost the data for a year.

"The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary", the FSA said in a statement.

Zurich UK said it had seen no evidence to suggest that the lost data was compromised or misused.

Outsourced data

The FSA said Zurich UK had outsourced the processing of some of its general insurance customer data to its South African subsidiary.

"In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later", the FSA said.

"Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.

"The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime," it said.

The FSA's director of enforcement and financial crime, Margaret Cole, said Zurich UK had let down its customers badly. "Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."

As Zurich UK agreed to settle at an early stage of the investigation the firm qualified for a 30% discount. Without this, the firm would have had to pay £3.25m.

The FSA has previously fined HSBC, Nationwide and Norwich.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?