Nationwide pays Iowa nearly $322,000 over 2012 data breach

By  | 

DES MOINES, Iowa (KCRG-TV9) -- Ohio-based Nationwide Mutual Insurance Company will enhance its online security practices and pay $5.5 million as part of a multistate settlement following a 2012 data breach that affected more than a million consumers.

The settlement with Nationwide and its subsidiary, Allied Property & Casualty Insurance Company, includes a $321,837 payment to Iowa’s consumer education and litigation fund.

The October 2012 breach exposed personal information from 1.27 million consumers—both customers and non-customers alike—including 91,620 Iowans.

The personal data included Social Security numbers, driver’s license numbers, and credit scoring information. The company collected the information for insurance quotes.

The 32 states plus the District of Columbia allege the breach occurred after Nationwide failed to apply a critical security patch.

“Companies that collect or store personal data must understand that they need to protect it,” Attorney General Tom Miller said. “Data breaches like this expose consumers to identity theft, financial harm, a loss of privacy, and added stress.”

The settlement requires the insurer to take steps to generally update its security practices and timely apply security patches and other updates to its security software.

The company must also hire a technology officer to monitor and manage software and application security updates.

The technology officer will supervise employees responsible for evaluating and coordinating the company’s maintenance, management, and application of security patches and software and application security updates.

Additionally, Nationwide agrees to take steps during the next three years to strengthen its security practices, including:

• Updating its procedures and policies relating to the maintenance and storage consumers’ personal data
• Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personally identifiable information, or PII
• Maintaining and utilizing system tools to monitor the health and security of systems used to maintain PII
• Performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of PII

Many of the consumers whose data was compromised were consumers who never became Nationwide customers, but the company retained the data in order to more easily provide future re-quotes.

The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personally identifiable information even if they do not become its customers.