Chicago —(ENEWSPF)—August 11, 2017. Attorney General Lisa Madigan and the attorneys general of 31 states and the District of Columbia announced a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company (collectively, Nationwide) over an October 2012 data breach.
The data breach was allegedly caused by Nationwide’s failure to apply a critical security patch. The breach resulted in 1.27 million consumers having their personal information, including social security numbers, driver’s license numbers, credit scoring information and other personal data, stolen or compromised.
Much of the personal information compromised through the data breach belonged to consumers who were never insured by Nationwide. The company collected prospective customers’ personal information in order to provide insurance quotes to applicants and kept that personal information even if consumers did not purchase insurance through Nationwide. The settlement requires more transparent data collection practices by mandating that Nationwide disclose to consumers that their personal information will be retained, even if they do not become Nationwide customers.
“People have the right to know how their sensitive personal information is being used and retained by companies,” Madigan said. “This settlement requires Nationwide to inform consumers the extent to which their information will be kept on file and also requires the company to implement better data security measures.”
The settlement also requires the company to take a number of steps to update its security practices and ensure the timely application of patches and other security software updates. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates. The technology officer will also supervise employees responsible for evaluating and coordinating the maintenance, management and application of all security patches and security updates to software and applications.
Additionally, as part of the settlement, Nationwide must take steps during the next three years to strengthen its security practices, including:
- Updating its procedures and policies relating to the maintenance and storage of consumers’ personal data;
- Conducting regular inventories of the patches and updates applied to systems used to maintain consumers’ personal information (PII);
- Maintaining and utilizing system tools to monitor the health and security of the systems used to maintain PII; and
- Performing internal assessments of patch management practices, and hiring an outside, independent provider to perform an annual audit of Nationwide’s practices regarding the collection and maintenance of PII.
Under the settlement, Nationwide will pay $5.5 million to the states included in the settlement, and Illinois will receive more than $280,000.
In addition to Illinois, the settlement was joined by the attorneys general of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.
The settlement was handled by Assistant Attorneys General Yangsu Kim and Matthew Van Hise for Madigan’s Consumer Fraud Bureau.