Nationwide Mutual Insurance and its subsidiary Allied Property and Casualty Insurance just settled with 33 states for $5.5 million dollars that came about from a 2012 multi-state data breach. The settlement will be used to cover the costs of litigation, the investigation and consumer protection law enforcement, data security improvement, and other fees.
In September 2012, cybercriminals hacked Nationwide's system. The criminals stoled personal data from 1.27 million clients. Some of the affected customers were Nationwide's customers, but perhaps the most disturbing fact about the breach is that some of the affected individuals were only obtaining quotes from Nationwide, yet their data was still stored. The stolen data included social security numbers, driver licenses, and credit scores. The hackers gained access to the system by leveraging a flaw in a third-party application.
RELATED: HIPAA Breach Report: January - July 2017
In addition to paying a fine of $5.5 million dollars, the settlement requires Nationwide to update its security practices to ensure patches are applied in a timely manner. Moreover, the company is required to hire a Technology Officer tasked with monitoring and managing software and security updates. The technology officer will also supervise employees responsible for evaluating and coordinating maintenance, management and application of security patches. Over the next three years, Nationwide must update its policies for how personal data is stored, conduct regular inventories of patches and updates, maintain and use tools to monitor the state of security for its systems, and perform internal assessments of patch management practices. Nationwide will also need to hire a third-party vendor to perform an annual audit of its practices for collecting and storing personal information.