Outsourcing data processing has its risks

The UK operation of the Swiss insurer found itself in hot water with the Financial Services Authority (FSA) over the loss of personal details of 46,000 customers during a routine transfer to a data storage centre in South Africa in August 2008. It received a fine of £2.27m – the largest fine ever levied by the FSA on a single regulated company for data security failings.

The case highlights the risk of thinking that by outsourcing something, it becomes someone else’s problem.

Zurich UK did not actually become aware of the loss until a full year after it occurred, the FSA said, because it had “no proper reporting lines in place”. That meant the 46,000 customers affected were unaware for a year that their personal information had been laid open to any number of threats and abuses. The FSA criticised Zurich UK for failing to ensure effective systems and controls to manage the risks to customer data security from the outsourcing arrangement and said it had “failed to ensure it had effective systems and controls to prevent the lost data being used for financial crime”.

Instances of critical data loss of that magnitude have been increasingly common even as security awareness grows among businesses. In 2007, HM Revenue and Customs lost two CDs containing the personal details of 25 million people. That should have served as a wake-up call to the failings of physical data transfer, but since then the problems have worsened.

Figures from the Information Commissioner’s Office confirm this. There were more than 350 individual incidents of data loss reported in the last year in the UK, compared with 190 incidents the previous year. The most common cause of loss, in 127 cases, was the result of stolen hardware. A further 71 incidents were blamed on lost hardware, typically memory sticks.

Tim Holyoake, security technologist at German software company Software AG, says the trend places greater urgency on the debate around not only what security companies use to protect data, but the reporting and responsibility structures around it.

“Managers need to treat customer data with the same level of security as they do company cash,” Holyoake tells Financial Director. “A bank wouldn’t take a year to notice missing money, but critical customer information is being treated with a lower level of priority. Organisations are too myopic or lazy to impose mandatory policies and procedures to enforce only encrypted electronic transfer for sensitive information, so sending a USB stick is the easy option.”

The security of customers’ personal information and sensitive company data is usually the remit of the chief information officer. However, finance directors, working ever more closely with chief information officers, must grasp this most prickly – and potentially costly – of nettles. As Software AG’s Holyoake says: “If you are looking to differentiate your business, reputation is everything.”

Read our 2008 story on the HM Revenue & Customs data loss and the FD perspective here