Loss of personal data.
Unencrypted backup tape lost by the data processor.
Undertaking issued to ensure that where any future movement of backup tapes is required appropriate data security measures, including encryption, are taken. Staff and external contractors must be made aware of security procedures and trained to follow them. Adequate checks must be carried out on contractor’s staff and effective controls must be put in place to monitor and report potential or actual data loss activity.
Reason for action
Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.
7 March 2010
View PDF of the Zurich Insurance plc Undertaking (Breach Watch Archive)