Attorney General Fox Announces Settlement with Nationwide Mutual Insurance Company Over Data Breach
HELENA – Attorney General Tim Fox announced today that his office, along with the Attorneys General of 31 other states and the District of Columbia, has reached a settlement with the Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company (collectively “Nationwide”), concerning an October 2012 data breach. The data breach, which was alleged to have been caused by the failure to apply a critical security patch, resulted in the loss of personal information belonging to 1.27 million consumers, including their social security numbers, driver’s license numbers, credit scoring information, and other personal data. The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance.
“Nationwide kept the personal information of people that it simply supplied quotes to — these individuals weren’t actual customers; they had no direct business relationship with the company. They were just folks who sought a quote at one point,” Attorney General Tim Fox said. “Nationwide kept the information of those people for a long time and was hacked because it failed to install a simple security patch. It would have taken minimal effort to avoid exposing these individuals to identity theft. This is a good reminder for all Montanans that even just having minimal contact with a company can equate to giving up their personal privacy and running the risk of exposing their personal information,” Attorney General Fox added.
The settlement requires Nationwide to take a number of steps to both generally update its security practices and to ensure the timely application of patches and other updates to its security software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.
Additionally, Nationwide agreed to take steps during the next three years to strengthen its security practices, including:
- Updating its procedures and policies relating to the maintenance and storage consumers’ personal data.
- Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information (“PII”).
- Maintaining and utilizing system tools to monitor the health and security of their systems used to maintain PII.
- Performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of PII.
Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insured, but the company retained their data in order to more easily provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their PII even if they do not become its customers.
In addition to the injunctive terms, Nationwide agreed to make a payment of $5.5 million to the Attorneys General. Montana had 10,425 consumers impacted by the breach and expects to receive $113,863 from the settlement, which was joined by the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.