Zurich Insurance - Another financial institution breaches Data Protection Act

Following a press release by the information commisioners Office (ICO) it has been confirmed that another financial institution has lost the personal details of 46,000 policy holders of Zurich insurance and its various subsidiaries.
Worse still was the fact that it appears the company has little or no control over its own processes - the unencrypted backup tape was lost in South Africa and wasnt notified to the parent company until a year later.

A number of key controls appear to have been missed by the insurer.

No encryption of sensitive customer data
inadequate incident management
ineffective processes and procedures

The ICO Press release and further information is below:

Zurich Insurance agrees to improve information security after losing over 46,000 individuals personal financial information

The Information Commissioner’s Office (ICO) has found Zurich Insurance plc in breach of the Data Protection Act after it lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client, which are all part of Zurich Insurance plc.

The back-up tape, which also included personal details of 1,800 third parties, was lost by a sister company, Zurich Insurance Company South Africa, during a routine transfer to a data storage centre in South Africa. The data loss occurred on 11 August 2008 although the sister company did not inform Zurich Insurance plc until over a year later. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.

UK Branch Manager of Zurich Insurance plc, Stephen Lewis, has now signed an Undertaking to ensure that where any future movement of back-up tapes is required appropriate data security procedures including the use of encryption where appropriate, are in place. Zurich Insurance plc has committed to put in place controls to monitor and promptly report potential or actual data loss activity. The Undertaking also requires that steps are taken to ensure staff and external contractors are made fully aware of security procedures and adequate checks are carried out on contractors’ staff.

Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is vital that organisations ensure effective safeguards are in place to protect personal information. Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence. I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered. I am pleased to see that Zurich Insurance plc has taken remedial steps to ensure individuals’ personal details are protected in future.”
A full copy of the Undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx

UPDATE:

A response from Zurich has been posted on their website:

Zurich's response to the Information Commissioner's Office (ICO)

The UK branch of Zurich Insurance plc ("ZIP UK") can confirm that it has given an undertaking to the Information Commissioner's Office (ICO) regarding the future protection and storage of personal data.

The undertaking was given after a dialogue with ICO that followed ZIP UK's self reporting of an incident regarding the loss of a back-up data tape in South Africa containing data relating to some of Zurich UK's general insurance customers.

A letter was sent last year to some 51,000 general insurance customers and other parties in the UK to inform them of this loss and the remedial actions being taken. To date, ZIP UK has seen no evidence to suggest that this data has been misused or compromised. UK Life policies or other General Insurance policies are not affected by this matter.

ZIP UK has given an undertaking that, where any future movement of back-up tapes containing personal data is required, ZIP UK will ensure that appropriate data security procedures, including the use of encryption where appropriate, are in place; that steps are taken to ensure staff and external contractors are made fully aware of such security procedures and adhere to them; that adequate checks are carried out on contractors' staff; and that effective controls are put in place to monitor and promptly report potential or actual data loss activity.

ZIP UK can confirm that all of these improvements in procedures have either already been implemented or will be implemented in the very near future.