Arizona and 31 other states and the District of Columbia, have obtained a $5.5 million settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company for damages resulting from a data breach.
The settlement resolves the states’ investigation into Nationwide’s October, 2012 data breach that resulted in the loss of personal information belonging to 1.27 million consumers. The data breach was alleged to have been caused by Nationwide’s failure to apply a critical security patch, resulting in the loss of social security numbers, driver’s license numbers, credit scoring information and other personal data.
In addition to Arizona states participating in this settlement include: Alaska, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, New Jersey, New Mexico, New York, Nevada, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.
The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance. Yet, many of the consumers affected by the data breach were consumers who never became Nationwide’s insureds; the company retained their data in order to more easily provide the consumers updated quotes at a later date.
Under the terms of the settlement, Nationwide has agreed to make a payment of $5.5 million to the state attorneys general. The company is required to be more transparent about its data collection practices by disclosing to consumers that it retains their personal information even if they do not become its customers.
The settlement additionally requires Nationwide to take a number of steps to generally update its security practices and to ensure the timely application of patches and other updates to its security software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates. Additionally, Nationwide agreed to take specific steps during the next three years to strengthen its security practices.