Zurich Insurance UK has been fined £2.275m by the Financial Services Authority (FSA) for not having the controls to prevent the loss of confidential personal data of 46,000 customers.
The fine, the heaviest yet for a data loss, came after the FSA uncovered failings in Zurich UK's systems and controls.
The FSA warned in 2008 that financial services firms were not checking their controls over outsourced data processing.
The FSA investigation followed the loss of 46,000 customers' personal details, including identity details, and in some cases bank account and credit card information, details about insured assets and security arrangements. Zurich was unaware that it had lost the data for a year.
"The loss could have led to serious financial detriment for customers and even exposed them to the risk of burglary," the FSA said in a statement.
Zurich UK said it had seen no evidence to suggest that the lost data was compromised or misused.
The FSA said Zurich UK had outsourced the processing of some of its general insurance customer data to its South African subsidiary.
"In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre. As there were no proper reporting lines in place Zurich UK did not learn of the incident until a year later," the FSA said.
"Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.
"The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime," it said.
The FSA's director of enforcement and financial crime, Margaret Cole, said Zurich UK had let down its customers badly. "Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made."
As Zurich UK agreed to settle at an early stage of the investigation the firm qualified for a 30% discount. Without this the firm would have had to pay £3.25m.
The FSA has previously fined HSBC, Nationwide and Norwich Union for data loss.
Computer Weekly says...
The FSA's ability to levy eye-catching fines is in marked contrast with the powers of the country's data protection agency, the Information Commissioner's Office. Only in April did the ICO receive the power to fine a firm up to £500,000 for a data loss. It has yet to use the full extent of its power.