UK regulator fines Zurich Insurance 2.275 million pounds ($3.5M) for losing customer data
On August 24, Britain’s financial regulator imposed a record fine of 2.275 million pounds (US$3.5 million) on Zurich Insurance PLC for losing confidential data on 46,000 customers.
The Financial Services Authority said the security breach – which included the loss of identity information and in some cases details of bank accounts, credit cards and insured asset – could have exposed customers to significant losses although there is no evidence the data has been misused.
The FSA said Zurich Insurance, part of Switzerland’s Zurich Financial Services Group, had outsourced some data work to the company’s South African unit, which lost an unencrypted back-up tape in August 2008. The FSA said the loss wasn’t discovered until a year later.
“Zurich U.K. let its customers down badly,” said Margaret Cole, the FSA’s director of enforcement and financial crime.
She said the company had failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed.
“To make matters worse, Zurich U.K. was oblivious to the data loss incident until a year later,” she said.
“Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich U.K. made,” Cole said.
Stephen Lewis, chief executive of Zurich Insurance, said the company had reviewed data security systems and procedures, and would appoint a dedicated information security officer to insure compliance.
“This incident was unacceptable,” said Lewis.
“It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers’ data.”
The fine was the largest ever imposed by the FSA on a single company for a data loss, even though Zurich Insurance got a 30 per cent discount from the maximum because it co-operated with the investigation.
