You can outsource responsibility, but not accountability

Yesterday saw an announcement by the Financial Services Authority that the UK arm of Zurich Insurance Plc has agreed a record-breaking fine of £2.4m as a result of losing 46,000 customer records. The records, which comprised personal details, ‘identity details,’ and in some cases bank account and credit card information, details about insured assets and security arrangements, were on an unencrypted back-up tape which was lost in transit during routine transfer to Zurich Insurance Company South Africa Ltd. The SA subsidiary was handling processing on behalf of the UK arm, but there were apparently no proper reporting lines between the two, and the loss was not reported to the UK for over a year after it occurred. There is no suggestion that the lost data has been misused.

In its statement, the FSA said:

“Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.

“Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.”

There are a few important implications arising from the FSA’s actions. A key issue is the valuation of data assets: by settling at an early stage of investigation, Zurich managed to get the fine down from £3.25m to £2.4m. This means that the FSA has assessed the value of each missing record as being approximately £70. That’s a figure that is substantially higher than has been assigned to many similar fines in the past, but is arguably much less than the damage per customer that could have been done if the data were misused. Of course the fine is not actually calculated in this way, and is in fact levied because the organisation “failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement.”

There is the (hopefully obvious) fact that whilst an organisation can outsource responsibility for proper data management, it cannot outsource accountability: the Data Protection Act makes it clear that the Data Controller remains accountable for proper management of data by a Data Processor acting on its behalf. Yet so many organisations fail to recognise this, particularly when they are passing data within the organisation – in many cases they fail to realise that a data sharing process is even occurring.

The scale of the fine is also clearly there to set an example to other regulated financial organisations to put their security arrangements in order. Nationwide, HSBC and Marks & Spencer have all fallen foul of substantial fines from the FSA, in each case being found guilty of systemic security failures. The FSA said “Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made.” Zurich’s shareholders can justifiably feel aggrieved at the scale of the fine compared with those applied elsewhere in the sector or across other sectors.

That brings us on to the issue of who is responsible for Data Protection regulation. The Information Commissioner’s Office does not have a reputation for enforcement in the way that many of its European counterparts have – for example, the Schleswig-Holstein Commissioner in Germany has a fearsome reputation and is unafraid to take on the likes of the federal government, Google or SWIFT. In comparison, the UK Commissioner rarely attempts enforcement actions on large firms or public authorities, and even then they normally settle for an Enforcement Notice rather than a financial penalty. The FSA on the other hand is clearly happy to hit companies hard for data protection breaches. Whilst I support that approach – poor data protection practices invariably arise from poor information security regimes coupled with a cultural disregard for personal data – I’m somewhat concerned that heavy penalties will deter firms from voluntarily notifying individuals or authorities about breaches when they occur, for fear of being penalised. In this particular case, Zurich voluntarily notified its customers of the loss, but I’m guessing that other financial firms in the same position might think twice in light of this penalty (government authorities and any unregulated body can of course carry on with relative impunity, not being subject to the FSA’s regime).

So what does all this mean? Whilst I fully support meaningful penalties for organisations that systemically fail to protect personal data, I’m concerned that the creation of scapegoats will simply serve to deter organisations – and financial organisations in particular – from voluntarily reporting incidents when they occur. We need to level the playing field such that fines are proportionate to the offence and the organisation’s ability to pay, regardless of size or sector. We need to consolidate to a single regulator for a single issue, rather than sector-specific regulators determining their own scale of penalties. And we need the Information Commissioner to recognise that after 20 years of promotion and awareness, it’s time to focus his resources on effective enforcement. Only then will all organisations, and public authorities in particular, start to treat personal data with the respect it deserves, and stop trying to duck accountability for protecting it properly.