The FSA has fined Zurich Insurance UK £2.27m for failing to prevent loss of customers' confidential information - the biggest fine levied on a single firm for data security failings.
The failings came to light following the loss of 46,000 customers' personal details, including identity information, bank account and credit card information and details about insured assets and security arrangements.
Zurich Insurance South Africa lost an unencrypted back-up tape during a routine transfer to a data storage centre but, as there were no proper reporting lines in place, Zurich UK did not learn of the incident until a year later.
The FSA says customers could have been exposed to serious financial detriment and even exposed to the risk of burglary. However, it stresses Zurich UK has seen no evidence to suggest the information was compromised or misused.
It says Zurich UK failed to take reasonable care to ensure it had effective systems and controls to manage risks relating to the security of customer data.
"Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA," says Margaret Cole, FSA director of enforcement and financial crime.