Confession is good for the soul, but bad for the reputation
Those accused of a crime who plead guilty can expect a reduced sentence. Likewise, companies admitting to a data security breach or data loss get a reduced fine. In the case of Zurich Insurance, settling a Financial Services Authority investigation early took 30 per cent off the potential fine, saving itself nearly £1 million.
What this latest case of insecure handling of personal data throws into sharp relief is the issue of deterrence versus incentive. The level of FSA fine in this case was eye-watering enough at £2.275 million or nearly £50 for every record involved. Given the relatively low margins on general insurance products, that could be enough to turn every one of the accounts involved loss-making.
Those customers would argue that they have been put at risk by the insurer – ironically, given the nature of the product involved – and the consequences could have been much more severe. Fifty pounds is what ten credit card records might fetch on the black market, with a fraudster likely to net thousands of pounds if this data were to have been found and put to improper use.
So is the scale of the penalty enough to encourage others to review their data security and processes? Gaps in these are what let Zurich down, with the year during which it remained unaware of the data loss probably the most telling aspect of this incident. How many other major data controllers in the financial services sector could themselves be in breach of FSA rules on data without knowing about it?
With the Information Commissioner yet to use his enhanced powers against anybody, data users across all sectors might be driven by fear of fines to tighten up their own processes. After all, that is the point of regulation and enforcement. The ICO has shown a softer side by talking up the need to report breaches and losses early to mitigate penalties later – like a priest giving an easier penance for a quick confession.
The question is whether companies will see these discounts as an incentive to admit problems. Or will the reputational damage that arises from the publicity in such cases be a bigger concern? After all, as long as the brand remains an asset on the balance sheet and the database does not, it is clear which will be handled with the most care.