State AGs Reach Settlement with Nationwide Over 2012 Data Breach
By Reade Jacob
On August 9, 2017, attorneys general representing 32 states and the District of Columbia announced a settlement with Nationwide Mutual Insurance Co. and its unit Allied Property & Casualty (collectively, “Nationwide”) to resolve the states’ investigation into the company’s 2012 data breach. Under the terms of the Assurance of Voluntary Compliance (“AVC”), found
According to a
The data breach may have resulted in the loss of consumers’ Social Security numbers, driver’s license numbers, credit scoring information and other personal data. Nationwide collected this personal information to provide insurance quotes to consumers applying for insurance, according to Attorney General Bondi.
In addition to the $5.5 million settlement, Nationwide also agreed to take the following steps during the next three years to strengthen its security practices:
Updating procedures and policies relating to the maintenance and storage of consumers’ personal data;
Conducting regular inventories of the patches and updates applied to its systems, performing internal assessments of patch management practices and hiring an independent provider to perform annual audits; and
Maintaining and utilizing system tools to monitor the health and security of systems used to maintain personal information.
State attorneys general have been active in investigating data breaches and promoting effective cybersecurity standards. The latest settlement continues that pattern but is particularly noteworthy for two principal reasons:
First, the settlement figure of $5.5 million is large given the number of customers impacted, which is comparatively small when viewed in the context of other recent, large state breach settlements.This is likely due to the sensitivity of the information exposed. Other breaches often have involved payment card information, which is typically considered less sensitive because consumers can be issued new credit and debit cards.
Second, the settlement demonstrates the states’ continued interest in investigating data breaches and establishing comprehensive cybersecurity standards. State attorneys general are interested not only in monetary payment, but also in requiring companies to take steps to strengthen its security practices. As a result, companies that collect and store personal information should closely monitor these AVCs to ensure that they have proper security controls in place.
Florida was a “lead state in the investigation,” according to Attorney General Bondi's office. The other AG offices participating are those of Alaska, Arizona, Arkansas, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.