Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Nationwide Insurance Breach Settlement: $5.5 MillionAgreement With 33 Attorneys General Also Requires Security Updates
Nationwide Mutual Insurance Co. will pay a $5.5 million settlement and update its security practices as a result of an agreement with attorneys general in 32 states and the District of Columbia in the wake of a 2012 data breach affecting more than 1.2 million individuals.
The settlement also names Nationwide's subsidiary, Allied Property & Casualty Insurance Co.
The states allege that the October 2012 breach was caused by the failure of the insurer to apply a critical security patch intended to prevent hacking or a viral infection. The breach exposed the Social Security numbers, driver's license numbers, credit scoring information and other personal data initially collected to provide insurance quotes to consumers applying for coverage, according to a statement from New York Attorney General Eric Schneiderman. Many of those consumers never became customers of the insurer, but the company retained their data.
The settlement requires Nationwide to take specific steps to update its security practices and to ensure timely application of patches and other updates to its software. It must also hire a technology officer responsible for monitoring and managing software and application security updates.
In the next three years, under terms of the settlement, the company must:
- Update its procedures and policies on maintenance and storage of consumers' personal data;
- Conduct regular inventories of the patches and updates applied to its systems used to maintain consumers' personal information;
- Maintain and utilize system tools to monitor the security of systems used to maintain personal information; and
- Perform internal assessments of its patch management practices and hire an independent provider to perform an annual audit of its practices regarding the collection and maintenance of personal information.
The settlement also requires Nationwide to disclose to consumers that it retains their personal information, even if they do not become its customers.
Following the 2012 breach provided those affected with free credit monitoring and ID theft protection services in addition to ID fraud expense coverage of up to $1 million, according to the statement from Scheiderman.
"Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process," he says.
In a statement provided to Information Security Media Group, Nationwide spokesman Eric Hardgrove states: "More than four years ago, a portion of our computer network used by Nationwide Insurance agents and Allied Insurance agents was subject to a sophisticated, criminal attack. We discovered the attack that day and took immediate steps to successfully contain the attack. We promptly reported the criminal attack to law enforcement authorities and notified individuals whose personal information we believed may have been compromised. ...
"The settlement agreement does not include any allegations that we violated data security laws. We believe that we have not violated such laws and that at all times our computer security has been compliant with data security laws. The decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations."
A class action lawsuit related to the breach is still pending, according to news reports.