The Financial Services Authority (FSA) has fined the UK arm of insurance firm Zurich a record £2.27m for losing personal details of 46,000 customers.
The fine, the biggest the FSA has ever issued for an offence relating to data security, is punishment for an incident in August 2008 when information outsourced to Zurich Insurance Company South Africa went missing.
The FSA said in a statement that Zurich UK had "failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data when outsourcing its management".
FSA director of enforcement and financial crime Margaret Cole said: "Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA.
"To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."
The fine could have been as much as £3.25m had Zurich not agreed to settle at an early stage of the investigation.
Stephen Lewis, chief executive of Zurich International UK, said the incident was "unacceptable" and that the insurer had already learned data management lessons from the experience.
"We commissioned a comprehensive review of our data security systems and procedures and have taken a number of steps designed to enhance those procedures," he said.
"We are appointing a dedicated information security officer to provide ongoing assurance that appropriate measures are in place and that they will continue to be effective."
Writing in a blog posting, Sophos senior technology consultant Graham Cluley said that if firms wanted to avoid a similar fate they needed to ensure they were being proactive in preventing data losses.
"Make sure that you are taking steps now to protect the sensitive data that your company holds. All organisations need to take the necessary measures to avoid data breaches, and protect the potential victims of data loss," he wrote.
The fine imposed by the FSA will raise question over the effectiveness of another regulator, the Information Commissioner's Office (ICO).
Although the ICO did issue a statement condemning Zurich for the data losses back in March, this was before it had the power to issue fines of up to £500,000 against firms that mishandle data.
However, this figure has been branded 'absurd' by legal experts for being too low and given the scale of the fine imposed by the FSA on Zurich would suggest that many firms will be more wary of the FSA than the ICO when it comes to financial data losses.
Stewart Room, a partner at Field Fisher Waterhouse LLP, said that the fine by the FSA served to highlight once again the limits of the ICO's powers.
"A fine that could have hit £3.25m is seven times what the ICO could have issued, raising serious questions about its power and whether the government values financial information over private information," he said.
"The government should consider looking again at the ICO's power as the loss of any private data can easily led to a loss of financial information too.
He also echoed Cluley's sentiments, urging companies to take action now to ensure they protect themselves against the risk of data losses.
"The law is only going to get tougher when it comes to regulating on data losses. In the coming years all data breaches will have to be reported as mandatory and we will then see evidence of some of the worst examples of data losses," he said.
Read more: http://www.computing.co.uk/v3/news/2268641/financial-services-authority#ixzz0xXTNJxog
Computing - Insight for IT leaders Claim your free subscription today.
Return to security news headlines
View Security News Archive