Confession is good for the soul, but bad for the reputation

Those accused of a crime who plead guilty can expect a reduced sentence. Likewise, companies admitting to a data security breach or data loss get a reduced fine. In the case of Zurich Insurance, settling a Financial Services Authority investigation early took 30 per cent off the potential fine, saving itself nearly £1 million.

What this latest case of insecure handling of personal data throws into sharp relief is the issue of deterrence versus incentive. The level of FSA fine in this case was eye-watering enough at £2.275 million or nearly £50 for every record involved. Given the relatively low margins on general insurance products, that could be enough to turn every one of the accounts involved loss-making.

Those customers would argue that they have been put at risk by the insurer – ironically, given the nature of the product involved – and the consequences could have been much more severe. Fifty pounds is what ten credit card records might fetch on the black market, with a fraudster likely to net thousands of pounds if this data were to have been found and put to improper use.

So is the scale of the penalty enough to encourage others to review their data security and processes? Gaps in these are what let Zurich down, with the year during which it remained unaware of the data loss probably the most telling aspect of this incident. How many other major data controllers in the financial services sector could themselves be in breach of FSA rules on data without knowing about it?

With the Information Commissioner yet to use his enhanced powers against anybody, data users across all sectors might be driven by fear of fines to tighten up their own processes. After all, that is the point of regulation and enforcement. The ICO has shown a softer side by talking up the need to report breaches and losses early to mitigate penalties later – like a priest giving an easier penance for a quick confession.

The question is whether companies will see these discounts as an incentive to admit problems. Or will the reputational damage that arises from the publicity in such cases be a bigger concern? After all, as long as the brand remains an asset on the balance sheet and the database does not, it is clear which will be handled with the most care.

Latest from Marketing Week


Access Marketing Week’s wealth of insight, analysis and opinion that will help you do your job better.

Register and receive the best content from the only UK title 100% dedicated to serving marketers' needs.

We’ll ask you just a few questions about what you do and where you work. The more we know about our visitors, the better and more relevant content we can provide for them. And, yes, knowing our audience better helps us find commercial partners too. Don't worry, we won't share your information with other parties, unless you give us permission to do so.

Register now


Our award winning editorial team (PPA Digital Brand of the Year) ask the big questions about the biggest issues on everything from strategy through to execution to help you navigate the fast moving modern marketing landscape.


From the opportunities and challenges of emerging technology to the need for greater effectiveness, from the challenge of measurement to building a marketing team fit for the future, we are your guide.


Information, inspiration and advice from the marketing world and beyond that will help you develop as a marketer and as a leader.

Having problems?

Contact us on +44 (0)20 7292 3703 or email

If you are looking for our Jobs site, please click here