Tuesday, 24 August 2010

Has Zurich UK just been mugged by the FSA?

If I were a Zurich UK shareholder, I think I might be asking directory enquiries for the name of a good human rights lawyer, as I would have a feeling in the pit of my stomach that the FSA had just breezed in and ripped off some of my human rights.

What do I think this? Because I’ve just seen a press release from the Financial Services Authority which has fined Zurich UK £2,275,000 for the loss of an unencrypted back up tape which contained confidential (but not “sensitive”, as the Data Protection Act defines “sensitive” data) details of 46,000 customers. The loss occurred 2 years ago. This is something which, had it have occurred 2 months ago, and the Information Commissioner’s Office led the enforcement action, might well have resulted in a penalty of significantly less than £500,000.

How can this be right? How can one administrative body be able to impose a fine of £3.25 million (excluding the “good behaviour” discount) and yet another administrative body can only impose a maximum fine of £500,000 for the worst possible data breach immaginable? It seems perverse, and I do hope to read a press release from the ICO sometime soon outlining its views on whether different regulators ought be permitted to impose penalties of a wholly different magnitude to each other. I wondered if the ICO had already issued a press release on the matter but no – today’s message from Wilmslow focussed on the discovery at a bus stop of an unencrypted CD containing old (“sensitive”) medical records of 112 patients from the intensive care unit of a hospital in Wolverhampton.

What also surprises me is that the most senior management levels within Zurich have apparently agreed to pay the fine. But why? Let’s have a good, public, fight about this. It may only be customer’s money they are playing with, but I really want to see a decent debate about the principles involved here.

On the one hand, Zurich UK appears ready to accept the punishment because the FSA says that it “failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement. The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.”

But, we all know that, from April of this year, the Information Commissioner has new powers to impose fines when the business knew or ought to have known that there was a risk that a serious breach would occur, but failed to take reasonable steps to prevent it.

Call me old fashioned, but I can’t see much difference between the two competing sets of jurisdictions. The only thing that appears to be different is the size of the stick that each regulator can wield. I’m not convinced that this is fair. I don’t like healthcare lotteries, where levels of care vary depending on where someone lives. Nor do I like the concept of regulatory lotteries, where levels of punnishment depend on which regulator claims “dibs” over it first. Thank goodness, in either case, the fines go to the Treasury, rather than the regulator’s own coffers.

So, my brief to counsel would be to construct an argument to the effect that it is wholly unacceptable for Zurich’s customers to be expected to meet the costs of this FSA fine when Parliament, in its wisdom, has only recently given general guidance (in setting the ICO’s fining powers at such a relatively low level) about the true level of punishments that should be meted out to the miscreants who knowingly continue to use dodgy processes that could lead to losses of personal data.

Failing that, my brief to counsel would also be to take Lord McNally, Minister of State for Justice, out for a couple of pints and explain to him that we’ve got this great idea for a new clause in the upcoming Great Constitutional Reform Bill. The aim of the clause would be to set out a statutory code which clarified which regulator was allowed to take action against who and for what – so that Parliament can make the determination, rather than leave it up to any agreements between the regulators themselves.

These financial services people appear to live in another world, when it comes to fines and financial losses. I wonder if that was one of the reasons that the new Coalition Government are so determined to restructure the FSA and get its feet closer to the ground.

The FSA’s press release which explains what they did and why they did it can be found at http://www.fsa.gov.uk/pubs/final/zurich_plc.pdf

The ICO’s press release, explaining its views on the issue, does not yet appear to exist.