Nationwide and one of its wholly owned subsidiaries have agreed to a $5.5 million settlement for a data breach that occurred in 2012. On 9 August, the Ohio-based insurance corporation along with Allied Property & Casualty Insurance Company agreed to the "Assurance of Voluntary Compliance" (PDF) with 33 Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia. In accordance with the Assurance, the two companies will pay $5.5 million to the Attorneys General. Those officials can then use the funds to cover attorneys' fees, costs of investigation, and consumer education for the future. Josh Shapiro is Attorney General of Pennsylvania, a state which will receive $248,830 of the $5.5 million. He said in a release that he's pleased with Nationwide's agreement to abide by the settlement. As quoted by PennLive:
"Protecting Pennsylvanians' privacy and personal information like Social Security numbers and credit data is a key priority. Anyone, whether it's a large company or an online scammer, who fails to protect your information will be held accountable."
On 3 October 2012, Nationwide and Allied suffered a data breach. The intrusion exposed the name, sex, occupation, driver's license number, Social Security Number, and other information of 1.27 million consumers, some of whom weren't Nationwide customers but who had merely applied for insurance plans with the company in the past. Following the incident, Nationwide reported the attack to law enforcement, notified all affected individuals, and provided those victims with a year of free credit monitoring, as reported by USA Today. It's thought the data breach resulted from Nationwide and Allied's failure to implement a security patch on one of their shared systems. To prevent similar incidents from occurring in the future, the Assurance requires Nationwide to be more transparent about its data collection and retention practices, hire an information technology officer who can oversee the review of Nationwide's security policies and orchestrate the company's patch management processes, update an inventory of all hardware and software on at least a semi-annual basis, regularly review and update its incident response policies, use a tool to document and patch CVEs, and report its compliance with these terms to the Attorneys General. Eric Hardgrove, a Nationwide spokesperson, told Security Media Group the insurance conglomerate accepts all those provisions. As quoted by BankInfoSecurity:
"The settlement agreement does not include any allegations that we violated data security laws. We believe that we have not violated such laws and that at all times our computer security has been compliant with data security laws. The decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations."
News of this Assurance follows more than a month after health insurance plan provider Anthem agreed to pay $115 million to settle a class-action lawsuit over the 2015 data breach that compromised the personal information of nearly 80 million customers.
