Zurich Insurance in the UK has just discovered the true cost of failing to secure confidential customer data properly, as the Financial Services Authority (FSA) fines the company a record £2.275m ($3.5m) for the data loss incident in 2008 which potentially put some 46,000 customers at risk.
The incident occurred when an unencrypted back-up tape containing those 46,000 customer records disappeared in transit between two sites in South Africa in 2008, although apparently it took the best part of a year before Zurich UK heard about the data loss.
According to the FSA the resulting £2.275m fine is the highest levied to date on a single firm for data security failings . But it could have been much worse, Zurich were granted a 30 percent discount for settling at an early stage during the investigation which dropped the fine from an original amount of £3.25m ($5m).
The misplaced data included customers' personal details such as bank account and credit card information as well as information about insured assets and security arrangements. Although Zurich UK states it has seen "no evidence" to support suggestions that the data has been misused or compromised in any way, the fact remains that it certainly had the potential to cause serious problems for the 46,000 customers concerned.
FSA Director of Enforcement and Financial Crime, Margaret Cole, said "Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later. Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."
The FSA states, and the case highlights, how Zurich UK failed to "take reasonable care to ensure it had effective systems and controls to manage the risks" relating to the security of customer data resulting from the outsourcing arrangement and further that it "failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime".
Stephen Lewis, Chief Executive of Zurich Insurance PLC (UK) said in a statement : "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers’ data. We are appointing a dedicated Information Security Officer to provide ongoing assurance that appropriate measures are in place and that they will continue to be effective. We believe our customers can be confident that we are doing everything we can to keep their data secure and protected."
So it seems that Zurich has learnt from the mistakes it has made, despite the 'record fine' being but a drop in the ocean in financial terms for a company of this size. Other companies should take note that if you effectively crap on customer data security concerns then it should come as no great surprise if, when the brown stuff hits the fan as it inevitably will, the green folding stuff starts flying out of the bank...