[BreachExchange] Nationwide Insurance Breach Settlement: $5.5 Million

Thu Aug 10 05:26:15 EDT 2017

http://www.bankinfosecurity.com/nationwide-insurance-breach-settlement-55-million-a-10183

Nationwide Mutual Insurance Co. will pay a $5.5 million settlement and
update its security practices as a result of an agreement with
attorneys general in 33 states in the wake of a 2012 data breach
affecting more than 1.2 million individuals.

The settlement also names Nationwide's subsidiary, Allied Property &
Casualty Insurance Co.

The states allege that the October 2012 breach was caused by the
failure of the insurer to apply a critical security patch intended to
prevent hacking or a viral infection. The breach exposed the Social
Security numbers, driver's license numbers, credit scoring information
and other personal data initially collected to provide insurance
quotes to consumers applying for coverage, according to a statement
from New York Attorney General Eric Schneiderman. Many of those
consumers never became customers of the insurer, but the company
retained their data.

Security Steps

The settlement requires Nationwide to take specific steps to update
its security practices and to ensure timely application of patches and
other updates to its software. It must also hire a technology officer
responsible for monitoring and managing software and application
security updates.

In the next three years, under terms of the settlement, the company must:

- Update its procedures and policies on maintenance and storage of
consumers' personal data;
- Conduct regular inventories of the patches and updates applied to
its systems used to maintain consumers' personal information;
- Maintain and utilize system tools to monitor the security of systems
used to maintain personal information; and
- Perform internal assessments of its patch management practices and
hire an independent provider to perform an annual audit of its
practices regarding the collection and maintenance of personal
information.

The settlement also requires Nationwide to disclose to consumers that
it retains their personal information, even if they do not become its
customers.

Following the 2012 breach provided those affected with free credit
monitoring and ID theft protection services in addition to ID fraud
expense coverage of up to $1 million, according to the statement from
Scheiderman.

"Nationwide demonstrated true carelessness while collecting and
retaining information from prospective customers, needlessly exposing
their personal data in the process," he says.

Nationwide's Response

In a statement provided to Information Security Media Group,
Nationwide spokesman Eric Hardgrove states: "More than four years ago,
a portion of our computer network used by Nationwide Insurance agents
and Allied Insurance agents was subject to a sophisticated, criminal
attack. We discovered the attack that day and took immediate steps to
successfully contain the attack. We promptly reported the criminal
attack to law enforcement authorities and notified individuals whose
personal information we believed may have been compromised. ...

"The settlement agreement does not include any allegations that we
violated data security laws. We believe that we have not violated such
laws and that at all times our computer security has been compliant
with data security laws. The decision to enter into a settlement
agreement reflects our desire to continue our strong cybersecurity
program and to concentrate on our core business operations."

A class action lawsuit related to the breach is still pending,
according to news reports.