The Financial Services Authority (FSA) has fined the UK branch of Zurich Insurance Plc (Zurich UK) £2,275,000 for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information. The fine is the highest levied to date on a single firm for data security failings.
The failings came to light following the loss of 46,000 customers’ personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary.
Zurich UK has seen no evidence to suggest that the personal data was compromised or misused.
Zurich UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA). In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later.
Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.
The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.
Margaret Cole, the FSA’s director of enforcement and financial crime, commented:
"Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.
"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."
As Zurich UK agreed to settle at an early stage of the investigation the firm qualified for a 30 per cent discount. Without this discount the firm would have been fined £3.25 million.
Notes for editors
- The Final Notice for Zurich Insurance Plc[1] can be found on the FSA website.
- Zurich’s failings were in breach of Principle of Business 3 (management and control) and the FSA’s System and Controls rules.
- The FSA has previously fined HSBC, Nationwide and Norwich Union for data loss.
- The FSA regulates the financial services industry and has five objectives under the Financial Services and Markets Act 2000: maintaining market confidence; promoting public understanding of the financial system; securing the appropriate degree of protection for consumers; fighting financial crime; and contributing to the protection and enhancement of the stability of the UK financial system.