Zurich Insurance hit by record £2.3m fine for data loss


Zurich Insurance hit by record £2.3m fine for data loss

Simon Quicke

The cost of losing customer details has been a staggering £2.3m for Zurich Insurance after the financial firm was slapped with large fine for letting sensitive data slip through its fingers.

The Financial Services Authority handed out the fine, which is the highest dished out so far to a single company for failing to secure data, following the loss of 46,000 customer personal details back in 2008.

With the threat of fines of half a million also coming from the Information Commissioners Office the action by the FSA will have further highlighted the need to secure personal data and comes just weeks before the deadline for retailers have to meet credit card security demands of the PCI compliance regulations.

Although the Zurich information doesn't seem to have been compromised the fine reflects the risk that the company potentially exposed customers to as well as the lack of effective security systems and controls.

The Zurich loss of customer records, including credit card and banking details, emerged a year after a backup tape had gone missing at the firm's South African operation which was being used as an outsourcer for data control. The UK business did not discover the data loss until a year later.

Margaret Cole, the FSA's director of enforcement and financial crime, said that other firms in the financial sector needed to sit up and take notice and learn from the Zurich example.

"Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later," she said.

John Redeyoff, operations director at NCC Group, said that the Zurich problems highlighted the dangers of outsourcing responsibility for looking after customer data.

"Whilst businesses outsource key processes, such as call centres or back-office processing, and technology services, such as data centre provision, they cannot outsource the risk. The businesses still own the risk and, as such, they are accountable to statutory bodies such as the FSA, and to their customers," he said.

"In addition, if an organisation is outsourcing services, it means that data is being passed between different organisations, and in the case of Zurich, between countries. This increases the risk of data loss further," he added.

Join the conversation Comment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.