Thirty-three attorneys general have reached a $5.5 million settlement with Nationwide Mutual Insurance Co. and its subsidiary Allied Property & Casualty Insurance Co. in connection with the company's October 2012 data breach.
"The data breach, which the states allege had been caused by the failure to apply a critical security patch intended to prevent hacking or viral infection, resulted in the loss of personal information belonging to 1.27 million consumers," a press release from the office of New York State Attorney General Eric Schneiderman stated. The breach included the individuals' names, Social Security numbers, driver's license numbers, credit score information and other personal data.
In addition to the monetary payment, Nationwide will be required to implement a number of improvements in its data security. In the next three years, Nationwide has agreed to take steps to strengthen its security practices, including monitoring the health of systems used to maintain personal information and performing internal assessments of its patch management practices.
The settlement requires the company to be more transparent about its data collection practices, including disclosing to consumers that it retains their personal information, even if they do not become Nationwide customers. Many of those affected in the breach did not ultimately become insured by the company, Schneiderman's office said.
The settlement also requires Nationwide to update its security practices and ensure timely patches and updates to its security software. The company must hire a technology officer to oversee these efforts.
The settlement was signed by 33 attorneys general, including Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.
Nationwide spokesman Eric Hardgrove said the settlement is consistent with its "longstanding commitment to protect customer information" in an emailed statement. He noted that the company does not believe it violated any data security laws, and said the settlement agreement reflects Nationwide's desire to continue a strong cybersecurity program and to concentrate on its core business operations.
"We believe a private/public partnership would be the best approach to combat cyber-attacks on U.S. companies, and we are pleased Nationwide is at the forefront of this approach," Hardgrove said.