Lost Backup Tape EqualsBig Fine For Zurich

The Financial Services Authority (FSA) has issued the largest ever fine to a single company after Zurich Insurance Company lost a backup tape containing the private details of over 46,000 policy holders.

The organisation has been fined a total of £2.75 million after the FSA deemed ‘inadequate systems and controls’ were in place for insuring the protection of customer data. The fine was reduced from £3.25 million after the firm agreed to settle at an early stage in the investigation process. It is the largest fine made by the organisation to a single company to date.

The case surrounds the loss of a single backup tape in South Africa. Apparently, Zurich UK had outsourced the processing of some of its customer data to their South African division and the backup tape was lost in transit between one of their data centres and a third party storage facility. It is understood that a subcontractor was responsible for the tape’s loss – in a data transfer order commissioned without the consent of Zurich UK.

The tape – which was not encrypted – contained identity details, bank accounts and credit card information relating to Zurich UK customers. It took the UK division one year to be notified of and made aware of the incident although they did notify the Information Commissioner’s Office as soon as the fault was realised.

The FSA said that the data loss could have led to serious financial detriment for customer – exposing them to risk of fraud or burglary.

Margaret Cole, the FSA’s director of enforcement and financial crime, said other firms should look at the details of the case and learn from Zurich UK’s mistakes.

“Zurich UK failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.”

Zurich UK has subsequently agreed to sign an undertaking in respect of its breach of the Data Protection Act 1998.