Nationwide settles data breach suit for $5.5 million

Nationwide Mutual Insurance Co. and a subsidiary have reached a $5.5 million settlement with 33 state attorneys general over an October 2012 data breach that resulted in the loss of personal information belonging to 1.27 million consumers.

The data lost in the breach involving Columbus, Ohio-based Nationwide and subsidiary Allied Property & Casualty Insurance Co. included customers’ gender, occupations, employer names and addresses, driver’s license numbers, Social Security numbers, marital status, dates of birth and Nationwide internal credit-related scores, according to the settlement agreement, which was announced by New York Attorney General Eric Schneiderman on Wednesday.

The breach occurred on Oct. 3, 2012, when hackers exploited a vulnerability in the insurers’ web application-hosting software, according to the settlement agreement.

After the data was breached, Nationwide addressed the software vulnerability by applying a software patch that had not been previously applied, according to the settlement agreement.

In addition, to paying $5.5 million, Nationwide agreed to appoint a “patch policy supervisor” whose duties will include, for a period of three years, being responsible for software and application security updates, according to the settlement agreement.

“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process,” Mr. Schneiderman said in a statement. “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”

Nationwide said in a separate statement that it “is pleased to have reached a settlement that we believe is consistent with our longstanding commitment to protect customer information.”

The insurer said, “The settlement agreement does not include any allegations that we violated data security laws. We believe that we have not violated such laws and that at all times our computer security has been compliant with data security laws.

“The decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations. Protecting consumer data is something that we take seriously,” the statement said.

“We believe a private/public partnership would be the best approach to combat cyber attacks on U.S. companies, and we are pleased Nationwide is at the forefront of this approach.”