The Financial Services Authority ("FSA") have imposed a fine of £2.27 million on the UK branch of Insurance company Zurich for loss of customer data.

During a transfer of data to a storage centre, Zurich managed to lose an unencrypted back-up tape holding data on 46,000 customers. The data lost included bank details, credit card details, home addresses and details of securities. What made the matter even more concerning was the fact that Zurich had no idea the data had been lost until a year later.

Whilst Zurich said there was no evidence that this data had been utilised for improper purposes, it is clear they did not have appropriate security procedures in place to protect the data. Customers could have suffered very serious financial consequences if the data had made its way into the wrong hands and been used for financial crime.

Zurich's fine is the highest ever imposed by the FSA for a data security breach which illustrates the fact that such breaches are being taken increasingly seriously.

Organisations need to review their data protection policies to ensure that they have adequate compliance and security measures in place to protect their data. If you do not have data protection procedures in place, make sure you do so as a matter of urgency.

If you become concerned that you may have committed a breach of the Data Protection Act, the first thing to do is seek independent legal advice. If an investigation follows, your best option is to co-operate. The fine imposed on Zurich may have been higher had they not fully co-operated with the FSA's investigation.

It is not only the high fines that organisations need to be concerned about. Individuals who suffer damage as a result of lost data may take legal action against your organisation. Furthermore, you need to be aware of the potential damage a breach of data protection laws could do your business. Individuals (and other organisations) will not want to become involved with you if they are not confident that their data will be secure.

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.

© MacRoberts 2010