New York, NY - August 9, 2017 - Attorney General Schneiderman today announced that New York, along with 32 other states, has reached a settlement with the Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, concerning an October 2012 data breach. The data breach, which the states allege had been caused by the failure to apply a critical security patch intended to prevent hacking or viral infection, resulted in the loss of personal information belonging to 1.27 million consumers – including 2,810 New Yorkers. The breach included social security numbers, driver’s license numbers, credit scoring information, and other personal data initially collected to provide insurance quotes to consumers applying for Nationwide insurance plans—many of whom did not ultimately become insured by the company. In addition to agreeing to improve its data security, Nationwide will pay a total of $5.5 million, including $103,736.78 to New York State.
“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process,” said Attorney General Schneiderman. “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
The settlement requires Nationwide to take a number of steps to both update its security practices and to ensure the timely application of patches and other updates to its security software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates. Additionally, Nationwide agreed to take steps during the next three years to strengthen its security practices, including:
- Updating its procedures and policies relating to the maintenance and storage of consumers’ personal data.
- Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information.
- Maintaining and utilizing system tools to monitor the health and security of their systems used to maintain personal information.
- Performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of personal information.
Many of the consumers whose data was lost as a result of the breach were consumers who never became Nationwide’s insureds, but the company retained their data in order to more easily provide the consumers re-quotes at a later date. Following the breach, affected consumers were provided with free credit monitoring and identity theft protection, in addition to identity fraud expense coverage up to $1 million and access to credit reports. The settlement announced today requires Nationwide to be more transparent about its data collection practices, including by disclosing to consumers that it retains their personal information, even if they do not become its customers.
The settlement was signed by a total of 33 Attorneys General, including New York, Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.
New York was represented by the Attorney General’s Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.