Zurich hit with record £2.28m fine over loss of personal data
The data was on a tape that went missing in South Africa during a routine transfer two years ago, but the loss did not come to light until October last year.
The Financial Services Authority (FSA) said Zurich UK had put its customers at risk of fraud and other crime by failing to protect the data, which included sensitive information including some credit card and current account details.
That risk was heightened by the delay in uncovering the loss, according to the FSA, which said Zurich UK had failed to ensure the security of customer data outsourced to Zurich Insurance Company South Africa Limited for processing.
The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime, said the FSA, although Zurich claimed there was no evidence that any of the data had been misused or compromised.
The fine was the biggest ever levied for data security failings and would have reached 3.25m if Zurich had not qualified for a 30 per cent discount by agreeing to settle at an early stage of the investigation.
Margaret Cole, director of enforcement and financial crime at the FSA, said Zurich had "let its customers down badly" by failing to oversee the outsourcing arrangement effectively.
"To make matters worse, Zurich UK was oblivious to the data loss incident until a year later," said Cole.
"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.".