Zurich Insurance data Protection fine
Zurich Insurance UK has been fined £2.275m by the Financial Services Authority (FSA) for not having the controls to prevent the loss of confidential personal data of 46, 000 customers.
The fine, the heaviest yet for a data loss, came after the FSA uncovered failings in Zurich UK's systems and controls.
The FSA investigation followed the loss of 46, 000 customers' personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. Zurich was unaware that it had lost the data for a year.
"The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary, " the FSA said in a statement.
Zurich UK said it had seen no evidence to suggest that the lost data was compromised or misused.
The FSA said Zurich UK had outsourced the processing of some of its general insurance customer data to its South African subsidiary.
"In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later, " the FSA said.
"Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.
"The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime, " it said.
The FSA's director of enforcement and financial crime, Margaret Cole, said Zurich UK had let down its customers badly. "Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."
As Zurich UK agreed to settle at an early stage of the investigation the firm qualified for a 30% discount. Without this the firm would have had to pay £3.25m.
The FSA has previously fined HSBC, Nationwide and Norwich Union for data loss.
Computer Weekly says...
The FSA's ability to levy eye-catching fines is in marked contrast with the powers of the country's data protection agency, the Information Commissioner's Office. Only in April did the ICO receive the power to fine a firm up to £500, 000 for a data loss. It has yet to use the full extent of its power.
You might also like
A few more thoughts: about protecting databy portlandgent
Great points, GA. Some more thoughts:
Beyond simply removing the virus/spyware, remember that you are first of all dealing with customer data and a working Windows system. There's a CHANCE you could screw it up, lose their data, etc. You could even drop and destroy a hard drive by accident. Things happen. How do you protect yourself against that? Hint: the data on the drive is surely much more valuable to the customer than the hardware itself. I'd rather buy them a new hard drive for $50 than be sued for losing all their data (which could be worth...how much?)
I often use True Image (like Ghost) from Acronis to make snapshots of customer drives before I do ANYTHING
Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights, and Protecting Your Family
Book (Rowman & Littlefield Publishers)
Protecting Data Wherever It Goes: Dell Unveils New End User Data Security .. — Virtual-Strategy Magazine
Dell today announced new proactive security solutions designed to provide organizations of all sizes with protection for their valuable data in the face of new and increasingly sophisticated end user security threats, while continuing to meet employees ..
Risky Business: Sharing Health Data While Protecting Privacy
Information Storage and Management: Storing, Managing, and Protecting Digital Information in Classic, Virtualized, and Cloud Environments
Data Protection for Photographers: A Guide to Storing and Protecting Your Valuable Digital Assets
Book (Rocky Nook)
Windows Internet Security: Protecting Your Critical Data
Book (Prentice Hall)