Venyu Blog

Unintended data breach rule #1: Storing sensitive customer data on tape, unencrypted, and then transporting it offsite, is never a good idea.

Exhibit A: Zurich Insurance. It was announced on Sept 28th, 2010 that the Financial Services Authority (FSA) – the regulator of the financial services in the UK (apparently our version of the Federal Reserve) fined the UK division of Zurich Insurance more than £2m (or nearly $3.2M) for failing to prevent the loss of customers’ confidential information.

According to this news article, the fine, which is the highest ever levied by the FSA for an individual firm, follows the loss of 46,000 customers’ personal information. This included identity details, bank and credit card information, and details about insured assets and security arrangements. FSA ruled that the company did not have adequate systems and controls in place.

The unencrypted back-up tape on which that data was stored was lost in transit during a routine transfer to a data storage center by a third-party processor Zurich UK had contracted with. This was all for the processing of its insurance data to its South African division, and to add insult to injury, Zurich UK did not learn of the incident until one year later.

The FSA said Zurich UK failed to take reasonable care to ensure it could effectively manage the risks relating to the security of customer data, following the outsourcing. The firm also failed to ensure it could prevent the lost data being used for financial crime.

Margaret Cole, the FSA’s director of enforcement and financial crime, said: “Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss until a year later.

Zurich UK said it notified customers about the data loss in October 2009 and has since taken steps to address the security issues identified by the incident. Customers with UK life policies were not affected by this matter.

Stephen Lewis, the chief executive of ZIP UK (Zurich Insurance PLC), said: “This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers’ data. Supported by KPMG, we commissioned a comprehensive review of our data security systems and procedures and have taken a number of steps designed to enhance those procedures.

“We are appointing a dedicated information security officer to provide assurance that appropriate measures are in place and that they will continue to be effective. We believe our customers can be confident that we are doing everything we can to keep their data secure and protected.”

The equivalent, I suppose, of closing the barn door long after the horses have already left, reached their destination, checked in and sent postcards back reading “Wish You Were Here.”