The Financial Services Authority (FSA) has fined the UK branch of Zurich Insurance £2.27m for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information.

This is the highest fine levied to date on a single firm for data security failings.

Zurich lost the personal details of 46,000 customers, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements.

The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary; however there is not evidence to date to indicate that the data has been misused.

Zurich UK outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA).

In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. The absence of proper reporting lines meant Zurich UK did not learn of the incident until a year later.

As Zurich UK agreed to settle at an early stage of the investigation the firm qualified for a 30% ‘discount’, without which the fine would have been £3.25m.