In March this year, Zurich Insurance Plc was forced by the Information Commissioner’s Office (ICO) to confess publicly to the loss of 46,000 records containing customer’s personal information.
The revelation came just days before the ICO acquired new powers to impose up to a £500,000 fine for a data breach. However, if the people at Zurich thought they’d got off with a written warning and some public shame, they were wrong.
The UK operation of Zurich Insurance has been fined £2.27m by the Financial Services Authority (FSA) for losing personal details of 46,000 customers. This is the highest fine levied on a single firm for data security failings.
Margaret Cole, the FSA’s director of enforcement and financial crime, said: “Zurich UK let its customers down badly.”
The data on policyholders, including in some cases bank account and credit card information, went missing in August 2008. However, Zurich did not become aware of the loss until a year later, and only then began notifying customers.
The FSA said in a statement: “Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.
The size of this fine should send a signal to all those responsible for ensuring the security of customer data that the authorities will crack down hard on any data loss.
Up until now too many companies and organisations have failed to take data loss seriously. This has largely stemmed from the fact that data protection law has never really had any bite to it. Up until now that is…
The use of an information security management system certified to the ISO27001 standard is a simple way to ensure: encryption of data, password protection, and measures to prevent large files from being downloaded to external devices.
Organisations employing the use of third parties for their hosting or data storage requirements (e.g. UKFast) must insure that such organisations are suitably qualified and secure – as UKFast are with ISO27001 certification across all of its operations.
All data custodians must make certain that they have a suitable information security management system in place to ensure adequate security controls.