Conn. Leads $5.5M Multistate Settlement with
Nationwide Insurance Company over 2012 Data Breach
Connecticut has joined with 31 other states and the District of Columbia in a $5.5 million settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, that resolves the states' investigation into a 2012 data breach that exposed sensitive personal information of 1.2 million consumers across the country, Attorney General George Jepsen and state Department of Consumer Protection (DCP) Commissioner Michelle H. Seagull announced today.
On October 3, 2012, Nationwide and Allied (collectively, "Nationwide"), experienced a data breach when, the states' investigation found, hackers exploited a vulnerability in the companies' third-party Web application hosting software. The states' investigation found that Nationwide had failed to apply a critical software patch that the third-party software company had deployed in 2009 to address the vulnerability.
The vulnerability allowed hackers to access consumer information that Nationwide collected when providing consumers with quotes for its insurance products. Personal information – including full names, sex, occupations, employer names and addresses, driver's license numbers and states of issuance, Social Security numbers, marital status, dates of birth and a Nationwide internal credit-related score – was accessed by the hackers.
Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide's insureds, but the company retained their data in order to more easily be able to provide the consumers additional quotes at a later date. Approximately 774 Connecticut residents were impacted by the breach. The states alleged that the companies' failure to safeguard consumer information in their possession was in violation of state consumer protection laws.
"Connecticut law requires that anyone in possession of another person's personal information safeguard that data," said Attorney General Jepsen. "It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols. We appreciate Nationwide's cooperation in bringing this matter to an appropriate and responsible resolution."
"Our economy works best when businesses can be trusted to protect consumer information appropriately," said Commissioner Seagull. "We encourage all businesses to make computer safety, and data security part of everyday workplace culture in order to protect information, and ensure consumers' trust."
Connecticut's share of the settlement funds totals $256,559.28, which will be deposited in the state's general fund.
In addition to the settlement payment, Nationwide has agreed to be more transparent about its data collection practices by disclosing that they retain information collected from consumers even if the consumers do not become insureds. The companies are required to appoint a qualified individual who is responsible for monitoring and managing software and application security updates and security patch management.
Additionally, Nationwide agreed to take steps during the next three years to strengthen its security practices, including:
• Updating its procedures and policies relating to the maintenance and storage of consumers’ personal data;
• Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information ("PII");
• Maintaining and utilizing system tools to monitor the health and security of their systems used to maintain PII; and
• Performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of PII.
The Connecticut Attorney General's office was a co-leader of the investigation and negotiations in this matter, together with the Offices of the Attorney General of the District of Columbia, Florida and Maryland.
Assistant Attorneys General Michele Lucan and Matthew Fitzsimmons, head of the Privacy and Data Security Department, assisted the Attorney General with this matter.
Office of the Attorney General:
Jaclyn M. Falkowski
Department of Consumer Protection:
Lora Rae Anderson