The multi-state settlement, which also includes Nationwide subsidiary Allied Property and Casualty Insurance Company, flows from an investigation by the participating states into a 2012 data breach that resulted in the loss of social security numbers, driver’s license numbers, credit scoring information and other personal data belonging to 1.27 million consumers.
The states alleged that the October 2012 breach was caused by Nationwide’s failure to apply a critical security patch to its data system, which contained personal information collected by the company in order to provide insurance quotes. The breach affected both consumers who were insured by Nationwide and persons who had sought quotes but never became insured by the company.
“This is an important settlement for consumers in New Jersey and across the nation, because it requires Nationwide to take specific steps designed to enhance its security measures and better protect the personal information of customers and prospective customers,” said Attorney General Porrino. “We live in a world where, for most consumers, it’s difficult if not impossible to avoid having their personal information end up stored in multiple databases. Businesses that collect and keep such data have a duty to safeguard the information. When they fail to do so – when they fail to exercise the appropriate level of care in storing consumer data – our commitment is to hold them accountable.”
The settlement announced today requires Nationwide to take a variety of steps to both generally update its security practices and to ensure the timely application of patches and other updates to its security software.
Nationwide also must hire a Technology Officer responsible for monitoring and managing software and application security updates – including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.
In addition, Nationwide has agreed to take steps during the next three years to strengthen its security practices, including:
Although many consumers whose data was lost as a result of the 2012 breach never became Nationwide customers, the company retained their data in order to more easily provide them re-quotes at a later date.
The multi-state settlement requires Nationwide to be more transparent about its data collection practices by disclosing to consumers that it retains their personal identifying information even if they do not become Nationwide customers. In addition to its injunctive terms, the settlement calls on Nationwide to make a total payment of $5.5 million to the participating states. New Jersey’s share is approximately $101,000.
In addition to New Jersey, the Nationwide settlement has been joined by the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.
Deputy Attorney General Patricia Schiripo, Assistant Section Chief of the Division of Law’s Consumer Fraud Prosecution Section, handled the Nationwide matter on behalf of the State.
Follow the New Jersey Attorney General’s Office online at Twitter, Facebook, Instagram & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.