Nationwide Mutual Insurance Co. agreed to a $5.5 million settlement over a 2012 data breach that led to the theft of more than 1 million customers' personal information, attorneys general for 33 states announced Wednesday.
The settlement came after the states claimed Nationwide and a subsidiary failed to apply a critical security patch to its network that could have protected it from the cyberattack. Attorneys general from Connecticut, Florida, New York, Pennsylvania, Texas and Washington, D.C., were among those involved with the settlement.
Data from consumers seeking quotes
Hackers were able to gain access to Social Security numbers, driver's license numbers, credit scoring information and other personal data the company collected on consumers seeking quotes, according to New York Attorney General Eric Schneiderman's office. Many of the victims were not ultimately insured by Nationwide.
As part of the settlement, the insurance company agreed to be more transparent about its data collection policy for those that don't become customers, Schneiderman's office said.
"This settlement should serve as a reminder that companies have a responsibility to protect consumers' personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don't," Schneiderman said in a statement, noting that nearly 3,000 New Yorkers were among the victims.
Agreed to improve internal security practices
As part of the agreement, Nationwide will improve its internal security practices, according to the AGs. The company also agreed to more regularly apply security updates, and to hire a technology officer responsible for monitoring application and software security.
Connecticut Attorney General George Jepsen noted state law "requires that anyone in possession of another person's personal information safeguard that data." Nearly 1,000 Connecticut residents were affected by the breach.
In the wake of the breach, Nationwide provided free credit monitoring and identity theft protection to those impacted, in addition to fraud expense coverage up to $1 million and access to credit reports, the AGs noted.
"Consumers in the district and across the nation entrust their personal information to retailers every day," D.C. Attorney General Karl Racine said in a statement. "Data breaches open the door to identity theft, which can have real and devastating consequences for hard-working people, and we hope today's settlement reminds retailers that they have a responsibility to do everything they can to protect consumers' private information."
'Protecting consumer data is something that we take seriously'
In a statement, Nationwide spokesman Eric Hardgrove said the company was "pleased" with the settlement over the data breach caused by "a sophisticated, criminal attack" that the company "took immediate steps to successfully contain." The settlement itself "does not include any allegations that we violated data security laws" as the insurance company does not believe any such laws were violated.
"The decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations," Hardgrove said. "Protecting consumer data is something that we take seriously. We believe a private/public partnership would be the best approach to combat cyberattacks on U.S. companies, and we are pleased Nationwide is at the forefront of this approach."
Originally published on New York Law Journal. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.