Nationwide to Pay $5.5M to 32 States, D.C. Over Data Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Aaron Nicodemus

Nationwide Mutual Insurance Co. has agreed to pay $5.5 million to close a multistate data breach investigation, attorneys general from several states announced Aug. 9.

Companies that allegedly fail to properly install software security updates to harden their computer networks from cyberattacks run the risk of enforcement actions by state attorneys general.

In 2012, hackers accessed personal information, including Social Security and driver’s license numbers, of some 1.27 million customers of Nationwide and its subsidiary, Allied Property & Casualty Insurance Co., and other consumers by exploiting a third-party web application vulnerability, according to allegations in the settlement.

The companies “failed to apply a critical software patch that the third party software company had deployed in 2009 to address the vulnerability,” Connecticut Attorney General George Jepsen (D) said in a statement. Connecticut, the District of Columbia, Florida, and Maryland led the investigation, with 29 other states joining the settlement.

Nationwide to Improve Security

Under the no-fault agreement, Nationwide agreed to improve its data security; ensure that software is up-to-date; and hire a technology officer to monitor and manage security updates, and supervise employees responsible for software.

Many of the consumers whose data was compromised weren’t insured by Nationwide, but the company retained their data to provide additional quotes at a later date. The settlement requires Nationwide to disclose to consumers that it retains their personal information, even if they don’t become customers.

“It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols,” Jepsen said.

A spokesman for Nationwide said in a statement provided to Bloomberg BNA that the company’s “decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations. Protecting consumer data is something that we take seriously. We believe a private/public partnership would be the best approach to combat cyber-attacks on U.S. companies.”

To contact the reporter on this story: Aaron Nicodemus in Boston at anicodemus@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The settlement agreement is available at http://src.bna.com/rwx.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security