Zurich CEO signs undertaking to improve information security after data loss last year

The Information Commissioner’s Office (ICO) has found Zurich Insurance in breach of the Data Protection Act after it lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders.

The lost information was related to Zurich Private Client, Zurich Special Risk and Zurich Business Client, which are all part of Zurich Insurance.

The back-up tape, which also included personal details of 1,800 third parties, was lost by a sister company, Zurich Insurance Company South Africa, during a routine transfer to a data storage centre in South Africa.

The data loss occurred on 11 August 2008 although Zurich Insurance was not informed until over a year later. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.

Zurich UK general insurance chief executive Stephen Lewis has now signed an undertaking to ensure that where any future movement of back-up tapes is required appropriate data security procedures including the use of encryption where appropriate, are in place.

The ICO also said Zurich Insurance has committed to put in place controls to monitor and promptly report potential or actual data loss activity. The undertaking also requires that steps are taken to ensure staff and external contractors are made fully aware of security procedures and adequate checks are carried out on contractors’ staff.

Sally-anne Poole, head of enforcement & investigations at the ICO, said: “It is vital that organisations ensure effective safeguards are in place to protect personal information.

"Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence. I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered.

"I am pleased to see that Zurich Insurance plc has taken remedial steps to ensure individuals’ personal details are protected in future.”