NU Online News Service, Aug. 24, 3:34 p.m. EDT
The United Kingdom Financial Services Authority (FSA) said it has fined Zurich Insurance plc's UK branch (ZIP UK) over ?2.28 million ($3.52 million at current exchange rate) due to the loss of personal data for 46,000 customers in 2008.
The FSA said the data lost includes identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. "The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary," the FSA said in a statement.
According to the FSA, ZIP UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA), and Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage center in August 2008. "As there were no proper reporting lines in place [ZIP UK] did not learn of the incident until a year later," the FSA said.
The FSA noted that this is the highest fine it has handed out to date on a single firm for data security failings. The fine would have been even higher, the FSA said, but ZIP UK qualified for a 30 percent discount because it agreed to settle early on in the investigation.
The FSA said ZIP UK failed to have effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement, and failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.
Margaret Cole, the FSA's director of enforcement and financial crime, said in a statement, "[ZIP UK] let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, [ZIP UK] was oblivious to the data loss incident until a year later."
ZIP UK acknowledged the settlement in a statement, and Stephen Lewis, chief executive of the company, said, "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data."
He added that the company has taken steps to enhance its security systems and procedures and has appointed a dedicated information security officer "to provide ongoing assurance that appropriate measures are in place and that they will continue to be effective."
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.