Zurich Insurance has been wrapped over the knuckles by the Information Commissioner’s office (ICO) for losing private financial data of 46,000 people.
The insurer has been found in breach of the Data Protection Act after it mislaid an unencrypted back-up tape holding information on 46,000 policy holders and personal details of 1,800 third parties. The incident happened during a routine transfer to a data storage centre by its sister company in South Africa in August 2008, but this firm did not inform Zurich’s UK arm until over a year later.
An investigation uncovered flaws in the way the firm handled security of its data tapes. UK branch manager Stephen Lewis has signed an undertaking with the ICO, committing to encrypting back-up tapes where appropriate. The company has also implemented controls to monitor and report any future data loss incidents.
Chris McIntosh, CEO of hardware encryption firm Stonewood, welcomed the ICO ruling, as it sent a message to companies that security needed to be part of the entire data lifecycle from laptops to storage devices.
“The issue with this loss is not just the loss itself. It is the tardiness with which the loss was eventually reported,” said McIntosh. “This has resulted in the data of a further 5,000 UK customers being threatened, thanks to deficiencies in operating procedures which caused the original loss not being addressed immediately. As well as securing data, organisations have to ensure that they report and react to any incidents swiftly. Waiting a year, as Zurich’s sister company did on this occasion, is quite frankly beyond unacceptable.
