Compliance Essentials

Privacy: UK data loss breaches

Category: Financial Services, Web/Tech, Privacy | by David Jacobson

In 2 separate UK incidents, the Financial Services Authority (FSA) has fined the UK branch of Zurich Insurance Plc (Zurich UK) £2,275,000 for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information and the Information Commissioner’s Office (ICO) has found Yorkshire Building Society (YBS) in breach of the Data Protection Act after an unencrypted laptop belonging to the former Chelsea Building Society (CBS), which had recently merged with YBS, was stolen from its Cheltenham premises.

Zurich breach
Zurich lost 46,000 customers’ personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements.

Zurich UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA). In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later.

Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.

The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.

Zurich UK has seen no evidence to suggest that the personal data was compromised or misused.

Yorkshire Building Society breach
The laptop stolen from YBS contained a substantial part of the CBS customer database. It was recovered within 48 hours after YBS appointed private investigators, and forensic investigations revealed that none of the data had been accessed during that time, although there had been several attempts to do so.

Yorkshire Building Society gave an undertaking to ensure that such a data security breach does not happen again. This will include ensuring that all portable devices including laptops are encrypted, that all staff are made aware of the company’s policies for the storage and use of personal data and that staff will only have access to the type and amount of personal data that is necessary for their work.

Print Friendly, PDF & Email
LinkedIn
 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.

Support Plans