You cannot outsource truly sensitive data this way and expect it to be defensible. As EDD Blog Online points out: The UK "...found that the insurer had failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement." And I completely agree. Zurich, specifically their IT, Compliance, and Risk Management policies, should be reviewed to ensure that their data is kept safe.
There are enough people out their trying to scam their way to stealing our identities (see Nigerian Scam), without insurance and credit card companies literally losing them. Let's try to act a little responsibly without having to have the government mommy us. Companies with sensitive data (which is pretty much every company) need to archive their data in-house.
I can't believe this actually happened.