On August 24, the UK Financial Services Authority (FSA) announced that it had fined the UK branch of Irish company Zurich Insurance Plc (Zurich UK) £2.275 million (approximately $3.5 million) after 46,000 customers’ confidential information was lost. This is the highest fine imposed to date on a single firm for failings in data protection.
In August 2008, Zurich UK outsourced certain data processing to its South African affiliate Zurich SA. The data losses occurred when Zurich SA transferred data stored on an unencrypted back-up tape to a data storage center as part of a routine transfer. A lack of inter-company communication meant that a year passed before Zurich UK was informed of the incident. The data loss left the customers vulnerable to theft and financial loss.
The FSA found that Zurich UK had not taken reasonable care to ensure that its systems and controls were sufficient to cope with the risks involved in the outsourcing arrangement nor to prevent the customer data being used for financial crime. (It appears that the lost data was not misused and no customers were compromised.)
As Zurich UK settled early, the original fine of £3.25 million (approximately $5 million) was reduced by 30%.