All the latest UK technology news, reviews and analysis
|
|
|
24 Mar 2010
Zurich Insurance has been found in breach of the Data Protection Act after losing an unencrypted backup tape containing personal financial data on 46,000 policy holders, and personal details on a further 1,800 third parties.
The data was lost by sister company Zurich Insurance Company South Africa during a routine transfer to a data storage centre in South Africa in August 2008. The incident was not reported to Zurich Insurance for over a year, according to the Information Commissioner's office (ICO).
An internal investigation revealed failings in the management of security procedures in South Africa, and Stephen Lewis, UK branch manger of Zurich Insurance, signed an undertaking with the ICO today.
Lewis has pledged that Zurich Insurance will ensure that data security procedures, including the use of encryption, are in place before the movement of data.
The company must also monitor and promptly report any data security weaknesses or breaches, and ensure that staff and external contractors are fully aware of security procedures.
Sally-anne Poole, head of enforcement and investigations at the ICO, urged all organisations to report any serious data breaches.
"It is vital that organisations ensure that effective safeguards are in place to protect personal information," she added.
"Failure to adequately protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers' trust and confidence."
Chris McIntosh, chief executive of data encryption firm Stonewood, welcomed the ICO's hardline stance on those contravening data breach laws.
"Waiting a year, as Zurich's sister company did on this occasion, is quite frankly beyond unacceptable," he said. "As well as securing data, organisations have to ensure that they report and react to any incidents swiftly."
Latest stories from Security
Related videos
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
Orange and Intel talk us through the ins and outs of their San Diego smartphone
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Project Manager - Credit Risk - Finance IT - Investment...
Infrastructure Configuration Manager/Analyst/Data Modeler...
Lead Perl Developer, Apache, SQL, Unix/Linux, Shell Scripting...
**Perl /Java Developer, Web/ JEE application servers...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
The first step
Signing the undertaking is a positive step forward after this very public information breach, but it?s only a starting point. As a financial services provider Zurich must work towards becoming PCI compliant and manage and protect its customer data more carefully. They should ensure that this scenario cannot happen again and check that processes are in place to flag up any potential weak security areas. Once processes are in place to better protect customers, they should ensure that should such any breach happen again (which it most likely will),that their disaster team swings in to place with seamless grace ? and not a whole year goes by without reporting the loss. They need to take control of security and not just wildly try to put out fires. Investigations must be made into how the incident happened, establish the impact of the breach, and re-assure their customer base that it won?t happen again. The question of course, is how do they do this? Well, no matter what happens across applications, databases, operating systems, routers, switches, firewalls, VPNs, and the hundred other devices that makeup the rich, varied and interoperable fabric of your IT backbone, it?s all recorded. There are electronic surveillance cameras everywhere recording the basic facts: the very ?truth? of what happened, when, where, and by whom. Systems produce millions of log records every day, by investing in a system that can collect those logs, parse them, deeply understand them, normalise and then correlate the data, they can easily either trace lost or stolen data back through the net to the hole that let it out, or from the hole, run forward to find out what was taken. The logs are the only way you can do this, so it?s important that they respond quickly and get their house in order as those penalty fines are going to be a whole lot bigger next time around. Zurich should implement a basic log management or a SEIM solution as quickly as possible. Once implemented any breach will be flagged almost immediately by alerts triggered by unusual/suspicious activity. www.loglogic.com
Posted by: Guy Churchward, CEO, LogLogic www.loglogic.com 24 Mar 2010