The Financial Services Authority (FSA) has imposed fines of nearly £2.3 million against the UK arm of Zurich Insurance over a serious data loss incident in which 46,000 of its customers had their details exposed.
The fine is a new record and the FSA’s Margaret Cole said that it was appropriate because Zurich had failed in its responsibility for the protection of private data, protection that its UK customers had a right to expect.
Zurich’s UK CEO Stephen Lewis admitted that the data loss, which took place two years ago this month, was not acceptable. Included in the data that went missing back in August 2008 were financial details relating to Zurich customers, including account numbers and payment card information.
It took the insurance firm 12 months to detect the loss and it was only then that it was able to inform affected customers. This delay added to the controversy surrounding the original data loss and may have contributed to the scale of the record fine.
The data was lost in South Africa as storage drives were being transferred between centres as part of standard procedures.
The FSA criticised Zurich in a statement, saying that it had not ensured the protection of customer data with policies and data management systems and had been lax in its use of third party firms to manage data, consequently underestimating the risks.
The South African branch of Zurich’s operation was deemed to have lacked the necessary controls to ensure that data belonging to UK customers was properly protected against loss and subsequent use in fraud, Cole said.
At this time, Zurich has been adamant that the lost data has never been exploited by criminals, adding that improvements to data protection policy and a security executive had been put in place to help prevent any repeat of the incident.
Zurich had originally been facing fines of 3.25 million, but by choosing to accept the FSA’s rulings it saw a 30 per cent reduction in this total.