Md. Settles with Nationwide Mutual Insurance Company Over 2012 Data Breach

Editor

somd.com Editor
Staff member
PREMO Member
Patron
Attorney General Frosh Announces Settlement with Nationwide Mutual Insurance Company Over 2012 Data Breach

Nationwide must pay $5.5 Million to States; Put Practices in Place to Update Security Measures and Protect Customer Information

BALTIMORE (August 9, 2017) – Attorney General Brian E. Frosh announced today that he, along with the Attorneys General of 32 other states, has reached a settlement with the Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, concerning an October 2012 data breach. Under the terms of the settlement, Nationwide must pay the states $5.5 million.

The data breach, which was alleged to have been caused by the failure to apply a critical security patch, resulted in the loss of personal information belonging to 1.27 million consumers, including 12,655 Marylanders. The data included social security numbers, driver's license numbers, credit scoring information, and other personal data. The lost personal information had been collected by Nationwide from consumers who were applying for insurance quotes.

"Consumers' personal information is vulnerable and sensitive in this digital age. Companies must establish security measures that will protect that important information," said Attorney General Frosh. "As a result of this settlement agreement, Nationwide must bolster its security protocols to protect its customer information, and it must fully disclose to everyone whose information it collects what its policies are."

The settlement requires Nationwide to take a number of steps to both generally update its security practices and to ensure the timely application of patches and other updates to its security software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates. Additionally, Nationwide agreed to take steps during the next three years to strengthen its security practices, including:

-- Updating its procedures and policies relating to the maintenance and storage of consumers' personal data.

-- Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers' personal information.

-- Maintaining and utilizing system tools to monitor the health and security of their systems used to maintain consumers' personal information.

-- Performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of consumers' personal information.

Many of the consumers whose data was lost as a result of the data breach never even became Nationwide's insureds, but the company had been retaining their data for future use. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it will retain their personal information even if they do not become its customers.

Maryland helped lead the Executive Committee of this multistate investigation, which consisted of the District of Columbia, Arizona, Connecticut, Florida, Illinois, Iowa, Pennsylvania, and Vermont. The settlement was also joined by the Attorneys General of Alaska, Arkansas, Hawaii, Indiana, Kentucky, Louisiana, Maine, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Rhode Island, South Dakota, Tennessee, Texas, and Washington.

Consumers who believe they may be a victim of identity theft should contact the Identity Theft Unit by calling (410) 576-6491 or by sending an email to idtheft@oag.state.md.us. Consumers can also visit http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/default.aspx.

In making today's announcement, Attorney General Frosh thanked Assistant Attorney General Richard Trumka Jr. for his work on the case.
 

GURPS

INGSOC
PREMO Member
The data breach, which was alleged to have been caused by the failure to apply a critical security patch ....



I wonder what patch and how long the patch had been released ......

but hey don't let that stop The Gov from suing / fining
 

NTNG

Member
OK, so these states sued Nationwide for $5.5 million. Two questions:
1) What happens to the $ once it is divided up amongst the participating states?
2) Just who does AG Frosh think will eventually pay for the cost of the lawsuit?

yeah, he had all of us in mind when he helped sue a giant insurance firm...
 

Wishbone

New Member
OK, so these states sued Nationwide for $5.5 million. Two questions:
1) What happens to the $ once it is divided up amongst the participating states?
2) Just who does AG Frosh think will eventually pay for the cost of the lawsuit?

yeah, he had all of us in mind when he helped sue a giant insurance firm...

-- Frosh and the Two Mikes 401ks become even bigger, they take a long Sandals Carribean vacation together.
 
Top