The fine is the highest levied to date on a single firm for data security failings.
Customer personal details that were lost included identity details, in some cases bank account and credit card information, insured assets details and security arrangements.
The FSA said the loss of data could have led to serious financial detriment for customers and exposed them to the risk of burglary.
Nevertheless, Zurich UK said there is no evidence to suggest that the personal data was compromised or misused.
The lost data came as a result of Zurich UK outsourcing the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA).
In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre, which Zurich UK did not learn about until a year later.
The FSA said Zurich UK failed to ensure it had effective systems and controls in place to manage the risks outsourcing posed to the security of customer data and prevent lost data from being used for financial crime.
Margaret Cole, director of enforcement and financial crime at the FSA, said: “Zurich UK let its customers down badly. It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later.”
“Firms across the financial sector would do well to look at the details of this case and learn from the mistakes that Zurich UK made,” she warned.
Stephen Lewis, chief executive of Zurich Insurance UK, said that the incident was “unacceptable”.
He said that Zurich was working with KPMG to review its data security systems and procedures, and has already taken steps to enhance its procedures including appointing an Information Security Officer.
Lewis said: “We believe our customers can be confident that we are doing everything we can to keep their data secure and protected.
“The FSA has acknowledged that we fully cooperated with its investigation and recognised that we treated the incident with utmost seriousness and have demonstrated a commitment to take the necessary steps to ensure the on-going security of our customer data.”
Zurich Insurance UK avoided a fine of £3.25m after agreeing to settle at an early stage of the FSA’s investigation and qualifying for a 30% discount.
