The Information Commissioner’s Office (ICO) has found Zurich Insurance plc in breach of the Data Protection Act after it lost an unencrypted back-up tape containing financial personal information belonging to 46,000 policy holders of Zurich Private Client, Zurich Special Risk and Zurich Business Client, which are all part of Zurich Insurance plc.
The back-up tape, which also included personal details of 1,800 third parties, was lost by a sister company, Zurich Insurance Company South Africa, during a routine transfer to a data storage centre in South Africa. The data loss occurred on 11 August 2008 although the sister company did not inform Zurich Insurance plc until over a year later. Subsequent internal investigations revealed failings in the management of security procedures involving data tapes in South Africa.
UK Branch Manager of Zurich Insurance plc, Stephen Lewis, has now signed an Undertaking to ensure that where any future movement of back-up tapes is required appropriate data security procedures including the use of encryption where appropriate, are in place. Zurich Insurance plc has committed to put in place controls to monitor and promptly report potential or actual data loss activity. The Undertaking also requires that steps are taken to ensure staff and external contractors are made fully aware of security procedures and adequate checks are carried out on contractors’ staff.
Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said: “It is vital that organisations ensure effective safeguards are in place to protect personal information. Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence. I encourage all organisations to report any serious data security breaches to us so that the nature of the breach or loss can be considered. I am pleased to see that Zurich Insurance plc has taken remedial steps to ensure individuals’ personal details are protected in future.”
A full copy of the Undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
Source: Information Commissioner’s Office