Although no misuse of the 46,000 files – which included identity data, bank account and credit card information, insured asset details and security arrangements – has been reported, the loss did not come to light for a year.
Zurich UK had outsourced some of the data processing on its general insurance customers to Zurich Insurance Company South Africa. During a routine transfer of data for archiving in August 2008, the tape was lost. One of the reasons for the fine being set so high, at £2,275,000, was the absence of any proper reporting to alert the data controller to the loss.
Margaret Cole, the FSA’s director of enforcement and financial crime, said: “Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later. Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”
The investigation was settled at an early stage, which was recognised by the regulator in a 30 per cent discount against the intended fine of £3.25 million. It still means the insurer has paid nearly £50 per record lost. An absence of effective systems and controls was also criticised by the FSA in levying the penalty.