Erm...
>Even worse, it took a year for Zurich UK to hear about the loss
No. I'd say even worse is that UK personal data is being stored and processed anywhere other than the UK.
UK insurer hit with biggest ever data loss fine
Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data. The fine was imposed not by the Information Commissioner's Office but by the Financial Services Authority. Zurich Insurance lost 46,000 customer records including some bank details when a tape back-up went missing between …
This topic is closed for new posts.
How do you 'lose' data exactly?
I'm confused. I am aware of recent problems where laptops, CDs, DVDs and memory sticks have been lost/mislaid, and they had sensitive data on them. I'm ok with that. Something physical that has data on it.
From what I have read, Zurich 'lost' some data while transferring over to a 3rd party for archiving. I also understand that no customers have suffered financially as a result. I conclude then that while the data got 'lost', it did not fall into enemy hands.
So where did it go? Into the interwebs? All them little bits and bytes leaking out into people's routers and networks. How clumsy.... and how unfortunate to have been fined such a large amount for 'losing' some data. I also understand that it took Zurich quite a while to realise that the data had been 'lost' and to admit same.
Is anyone else similarly confused?
Erm - A back-up tape?
It was a back-up tape that was lost.
Hmm, did you read the article!?
"Zurich Insurance lost 46,000 customer records including some bank details when a tape back-up went missing between two sites in South Africa."
Kind of answers your question in one neat little sentence... ;)
Clue is in the article
"Zurich Insurance lost 46,000 customer records including some bank details when a ******tape back-up****** went missing"
@David Lawrence: Reading and comprehension fail.
"a tape back-up went missing between two sites in South Africa"
It was only blind luck that this backup tape didn't fall into the wrong hands.
As for the notification, it is obvious that they knew of the loss at the time but covered it up for a year.
It wasn't UK personal data
From the article text:
The lost tape included data on half a million South African clients of Zurich, and 40,000 from Botswana.
No Britons involved...
The Sun Set on the Empire
> The lost tape included data on half a million South African clients of Zurich, and 40,000 from Botswana.
SA and Botswana are not part of the UK, bokkie.
@Neil Greatorex and @LawLessLessLaw
You both could try reading the whole article from the beginning.
>Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data.
Now while I realise that these British people could be British in name but resident in South Africa I doubt whether the FSA would have any sway if this was a purely South African issue.
Re: It wasn't UK personal data
From the very first line of the article: "losing thousands of British people's personal data"
The little note at the end uses the word 'included'. I'd take that to mean 'additionally to the data on UK citizens for which Zurich as being fined'.
Eunuch ICO
Credit to the FAS for holding Zurich to account and imposing a punishment. It should have been the ICO imposing such a penalty.
Fine?
which no doubt leads to larger bills for their customers, who should really be receiving a cut.
Not the ICO but the FSA
However the most shamefull thing is that it was not the toothless ICO but the FSA who levied the fine.... I am sure the ICO's office would have said - dont worry it was just 48,000 customer - No harm done...nothing to see.
ICO = UK Data ?
Wouldn't the ICO only potentially be involved if it was UK data ?
Not stating as a fact, just interested to know
data lost?
Data isn't tangible, so does it matter if it gets lost? What actually is there to lose?
If a copy exists then has the data been lost?
Were they insured...
Were the tapes insured against loss? *cough*
Fines?
The Nationwide one was paid by the members, not the directors (cheers guys) and Zurich made £91m last year, so this is going to be paid by emptying the petty cash box: http://www.zurich.co.uk/home/mediacentre/company/Zurichs_UK_reports.htm
but
They were told.
Repeatedly.
(backup tape btw - unencrypted natch)
Coat because that's what they told me to get a couple of years ago...
Pity
'Tis unfortunate that it's an insurance company. No doubt they're self-insured for this sort of thing and will just treat it as cost-of-doing-business.
Had it been a regular company then their business insurance rates would go way up - 'natch. The bean-counters could then weigh this against the cost of improving security and, hopefully, apply appropriate funding to (2)
So...
...Who gets the money from the fine?
Can the Zurich customers whose data was lost expect a £50 cheque in the post each?
No.. Thought not.
I'm certainly not against fining any organisation that compromises the data of the general public, but surely any revenue raised should go to compensate the people that were actually wronged?
Re: Chris W
"No. I'd say even worse is that UK personal data is being stored and processed anywhere other than the UK."
riiight... because no other data about UK people EVER leaves the UK for storage/processing...
especially considering Zurich UK is just part of a multinational company.
@Tieger
You mean other companies keep and process data of British citizens offshore. Well bugger me, I didn't know that.
However, what exactly is your point.
Way hay !
At last -
But they should also force them to state on all their advertising "We have been fined £2.3m by the FSA for losing your personal data. Still trust us?" for the period of one year.
@ David Lawrence
You are right to be confused as the story does not convey what actually happened very accurately.
The data itself was on a tape being transported between the Zurich offices in SA to an off-site silo by the 3rd party that manages Zurich SA applications and infrastructure. What the story also does not convey is that the fine was probably so high because the application in question holds/processes data on "high net worth" Zurich UK customers.
I believe that the 3rd party has been dismissed and that this application is now managed in-house.
@TkH11 are you for real?
So a tape containing (hypothetically) you name address, d.o.b. NH number, children's names and ages, etc etc etc is lost. there's nothing there's no need to worry. I wonder what all that mine of non existent data could be used for? Mmmmm.
@AC
You mentioned a tape. I didn't mention a tape. I questioned the subject of data loss!
I didn't describe the medium - if any - on which that data is held.
I was actually referring to loss of data into the ether, where there is no medium to loose.
@AC
@AC, my post was a response to the very first post, how do you actually lose data?
One doesn't lose data, it's not tangible. (Which was the subject of my first post).
One loses the medium on which the data is stored.
Actually it is loss of control
It is not the medium loss that they are being fined for, but the shoddy loss of control of data due to poor practices. Specifically, the data not being encrypted. Don't forget, anyone holding personal data in the UK of other people (ie customers) has a statutory obligation to look after it.
Therefore Zurich losing a backup tape is irrelevant in terms of the use of the word loss. The term loss is being applied that they could not account for the data and could not demonstrate that the missing data was not used for other purposes. In short, they lost control not just the physical hardware and therefore they did not fulfill their statutory obligations. If the data was lost say through a server failure, that would be a loss to the company, but not a loss in terms of personal data because no one else gained unauthorised access to it. Someone deliberately going in and copying the data, bypassing safeguards is termed a breach.
Many people, particularly lawyers and Intellectual Property types, would disagree with your opinion that data is not tangible. It has value, therefore it is worth money and therefore it is tangible in the same way that you would pay an electrician or a builder to do your house. He has knowledge that you do not, you could buy the materials and do it yourself, but you are also paying for what they know in order to get the job done better. Software has value, it can be sold and traded therefore, it also is tangible because it is a saleable commodity.
uk insurer
seriously what is it with uk companies loosing data records of there customers do they not have a safe thease days to keep them safe
@DEAD4EVER
1. Read the article.
2. Learn to spell.
That is all.
Fire
THis will keep happening until the actual people losing the data get the fines or prison sentences.
Fining the company hardly affects the idiot losing the laptops and tapes
Definition of Tangible
"Having physical existence and/or form, or discernible through one or more senses."
Alternatives:
a. Discernible by the touch; palpable: a tangible roughness of the skin.
b. Possible to touch.
c. Possible to be treated as fact; real or concrete: tangible evidence.
2. Possible to understand or realize: the tangible benefits of the plan.
3. Law That can be valued monetarily: tangible property.
According to this, data is not tangible as it can not be physically touched. However, in a legal context an additional definition exists. For the purposes of law I can accept this. But for most people in the literal definition, (where most people are not lawyers), data is not tangible.
You are correct ...
... in believing that it is incorrect to say 'data is tangible'. However, data ARE tangible.
titular something or other
"c. Possible to be treated as fact; real or concrete: tangible evidence"
Seems like Data could be covered under this definition. Personal data is
1. factual
2. real
3. concrete (see 1 and 2)
ergo Data is tangible
Purely symbolic "punishment"
"Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data."
Enormous? Is that even 1% of companys yearly _profit_?
If it's not, it's even less than a slap to the wrist and saying 'Bad, bad!'
Losing anything beyond name should be punishable at rate of £1000 per person and that sum goes to those whose details have been "lost", ie. sold to 3rd parties. Criminal charges on top of that if necessary.
If a company goes bankrupt because of this, it servers them right: Ordinary citizen is financially ruined when he does major crimes and gets caught, tell me why corporations should get away for free? Or purely symbolic "punishment" like this?
Solution (again)
It will happen again and again and again until they make the heads of these companies/departments responsible and SACK them ... THEN you'll get change. Fines are meaningless to companies of this size - less than 1%!
This topic is closed for new posts.
Popular Whitepapers
- The BI Inflexion Point
Information is a right, not a privilege - VPN security - if you want it, come and get it
Attention WiFi hotspotters: You want it - The Register Guide to iSCSI
A primer on Internet SCSI, a protocol to transport SCSI commands over IP - Secure Mobile Working
Beyond the Technology - The Impact of IT Security Attitudes
Putting the pieces in place for effective security delivery - The Register guide to unified communications
A primer on the implications of unified communications for enterprise IT
