Zurich Insurance has been fined more than £2m over the loss of 46,000 customers' personal details, an incident that has already seen the company found guilty of breaching the Data Protection Act.
On Tuesday, the Financial Services Authority (FSA) imposed a £2,275,000 fine on Zurich Insurance, the highest fine a single firm has received for data security failings. The company had outsourced some customer data processing to a South African subsidiary, Zurich SA, which in August 2008 lost an unencrypted back-up tape in transit. The affected customers, who were holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client policies, were not told about the breach for a year.
"As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later," the FSA noted in a statement, adding that Zurich UK's willingness to settle "at an early stage" of the investigation led to a 30-percent reduction in the fine. It would otherwise have been £3.25m.
"Zurich UK let its customers down badly," Margaret Cole, the FSA's director of enforcement and financial crime, said in the statement. "It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.
"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."
Although the lost data included identity details and, in some cases, bank account and credit card information and security arrangements, Zurich has said there is no evidence it has been misused. Nonetheless, in March, the Information Commissioner's Office (ICO) found the company guilty of breaching the Data Protection Act.
In a statement on Tuesday, Zurich Insurance UK chief executive Stephen Lewis said the incident had been "unacceptable".
"It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data," Lewis said. "Supported by KPMG, we therefore commissioned a comprehensive review of our data security systems and procedures and have taken a number of steps designed to enhance those procedures.
"We are appointing a dedicated information security officer to provide ongoing assurance that appropriate measures are in place and that they will continue to be effective. We believe our customers can be confident that we are doing everything we can to keep their data secure and protected."