Banking and Finance Law Daily Nationwide Mutual Insurance agrees to pay $5.5 million for data breach
Thursday, August 10, 2017

Nationwide Mutual Insurance agrees to pay $5.5 million for data breach

By J. Preston Carter, J.D., LL.M.

Thirty-two states have reached an agreement with Nationwide Mutual Insurance Company in which the company will pay $5.5 million concerning a 2012 data breach that resulted in the loss of personal information belonging to 1.2 million companies. The states allege that the breach was caused by the failure to apply a critical security patch intended to prevent hacking or viral infection, violating a number of state consumer protection acts. The breach included Social Security numbers, driver’s license numbers, credit scoring information, and other personal data initially collected to provide insurance quotes to consumers applying for Nationwide insurance plans, many of whom did not ultimately become insured by the company.

In his announcement of the settlement, New York State Attorney General Eric Schneiderman said, "Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process. This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers."

The settlement requires Nationwide to take a number of steps to update its security practices and ensure the timely application of patches and other updates to its security software. Also, it must hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.

Although many of the affected consumers never became insured by Nationwide, the company retained their data in order to more easily provide the consumers re-quotes at a later date. Therefore, the settlement requires Nationwide to be more transparent about its data collection practices, including by disclosing to consumers that it retains their personal information, even if they do not become its customers.

Companies: Nationwide Mutual Insurance Company

MainStory: TopStory EnforcementActions CyberPrivacyFeed IdentityTheft NewYorkNews Privacy StateBankingLaws

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More