News

09:57 AM
Connect Directly
RSS
E-Mail
50%
50%

FSA Fines Zurich Insurance $3.5 Million for Failing to Protect Customer Data

Penalty follows the loss of a backup tape containing personal information for 46,000 policy holders.

The Financial Services Authority has fired a warning shot across the financial industry's bows with regard to protecting customer data. The U.K. financial services regulator has fined the U.K. branch of Zurich Insurance £2,275,000 (about $3.5 million) for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information. According to the FSA, the fine is the highest levied to date on a single firm for data security failings.

This punishment follows the loss of 46,000 customers’ personal details, including identity information and in some cases bank account and credit card information, details about insured assets and security arrangements, through the year-long loss of a backup tape.

Zurich UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA). In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage center. As there were no proper reporting lines in place, Zurich UK did not learn of the incident until a year later. Zurich UK has seen no evidence to suggest that the personal data was compromised or misused

The FSA found that Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement and failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.

"Zurich UK let its customers down badly," said Margaret Cole, the FSA’s director of enforcement and financial crime. "It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later. Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."

Because Zurich UK agreed to settle at an early stage of the investigation, the firm qualified for a 30 per cent discount. Without this discount the firm would have been fined about $5 million.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
New IT Models for New Financial Services Challenges