Nationwide Mutual Insurance Co. has agreed to pay $5.5 million to settle charges related to an October 2012 data breach that resulted in the loss of the personal information of about 1.27 million consumers.
The data breach was caused by the failure to apply a security patch to prevent hacking or viral infection, according to the settlement with 33 state attorneys general. The breach included Social Security numbers, driver’s license numbers, credit scoring information, and other personal data collected to provide insurance quotes to consumers applying for Nationwide insurance plans.
“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process,” said New York Attorney General Eric Schneiderman.
The settlement requires Nationwide to take steps to update its security practices and to ensure the timely application of patches and other updates. Nationwide also is being required to hire a technology officer who will be in charge of software and application of security updates.
Many of the consumers whose data was lost never became Nationwide’s customers, but the company kept their data to more easily provide the consumers re-quotes later. Following the breach, affected consumers were provided with free credit monitoring and identity theft protection, in addition to identity fraud expense coverage up to $1 million and access to credit reports. The settlement announced Wednesday requires Nationwide to be more transparent about its data collection practices, including disclosing to consumers that it retains their personal information, even if they don’t become its customers.
The 33 attorneys general signing the settlement are from the District of Columbia and the following states: New York, Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, and Washington.