Attorney General Shapiro Announces Settlement with Nationwide Insurance for Data Breach affecting 1.2M Consumers

August 9, 2017 | Topic: Consumers

HARRISBURG — Attorney General Josh Shapiro and a bipartisan coalition of 32 other Attorneys General today announced a settlement with Nationwide Mutual Insurance Company and a subsidiary for a 2012 data breach that resulted in the loss of personal information belonging to more than 1.2 million Americans, including 36,000 Pennsylvanians.

The data breach, caused by the companies’ alleged failure to apply a critical security patch, resulted in the loss of consumers’ social security numbers, driver’s license numbers, credit information and other personal data. The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance.

“Protecting Pennsylvanians’ privacy and personal information like Social Security numbers and credit data is a key priority. Anyone, whether it’s a large company or an online scammer, who fails to protect your information will be held accountable,” Attorney General Shapiro said. “This data breach affected more than one million Americans – including 36,000 Pennsylvanians. The reforms required by the settlement will help ensure Nationwide protects consumers’ personal information better in the future.”

As part of the settlement, Nationwide and its subsidiary, Allied Property & Casualty Insurance Company, agreed to pay $5.5 million to a group of 33 attorneys general to resolve the data breach investigation. Of that total, Pennsylvania will receive $248,830.

The settlement requires Nationwide to initiate a series of actions to update its security and ensure the timely application of patches and other updates to its security software:

  • Nationwide must hire a technology officer responsible for monitoring and managing software and application security updates.
  • Strengthen its procedures relating to the maintenance and storage of consumer data.
  • Conduct regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information.
  • Hire an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of consumers’ personal information.

Many of the consumers whose data was lost as a result of the data breach never became insured by Nationwide. However, the company retained their data in order to more easily provide re-quotes at later times. The settlement requires Nationwide to be more transparent about its data collection practices and compels it to disclose to consumers that it retains their information even if they do not become customers.

In addition to Attorney General Shapiro, the settlement was joined by the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.

# # #