Zurich Insurance fined £2.3m over customers' data loss
The UK operation of Zurich Insurance has been fined £2.27m by the Financial Services Authority (FSA) for losing personal details of 46,000 customers.
It is the highest fine levied on a single firm for data security failings.
Margaret Cole, the FSA's director of enforcement and financial crime, said: "Zurich UK let its customers down badly."
Stephen Lewis, chief executive of Zurich UK, said: "This incident was unacceptable."
The data on policyholders, including in some cases bank account and credit card information, went missing in August 2008.
However, Zurich did not become aware of the loss until a year later, when it then began notifying customers.
The information went missing during a routine transfer to a data storage centre in South Africa.
The FSA said in a statement: "Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.
"The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime."
Margaret Cole added that Zurich "failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA".
"To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.
"Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made," she said.
Zurich said that it had no evidence the data had been misused. The firm said it had introduced new security measures, and had appointed a dedicated information security officer.
Mr Lewis said that the incident "served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data".
As Zurich agreed to settle at an early stage of the investigation the firm's fine was reduced by 30%. Without this discount the fine would have been £3.25m.
Experts said the size of the fine sends a signal that the authorities will crack down hard on data loss.
Rupert Casey, partner at Macfarlanes law firm, said companies and organisations had previously failed to take data loss seriously.
"That stemmed from the fact that data protection law never had any bite to it. That has all changed.
"What this fine should do is drive the issue up the agenda," he said.
Better encryption of data, password protection, and measures to ensure large files cannot be downloaded to devices like memory sticks must all be improved, he said.
The FSA has previously fined HSBC, Nationwide and Norwich Union for data loss.