“USA Today: Nationwide Mutual Insurance Agrees to $5.5M Settlement Over Data Breach”
August 14, 2017
As published by USA Today, on August 9, 2017.
Nationwide Mutual Insurance company will pay a $5.5 million settlement for the 2012 data breach that exposed personal information for an estimated 1.27 million consumers, state officials said Wednesday.
Carried out by computer hackers, the data breach scooped up Social Security numbers, drivers license data, credit scoring information and other personal data collected to provide insurance quotes to consumers who applied for Nationwide’s insurance plans.
Attorneys General in 32 states alleged the breach was made possible by the failure of Nationwide and an affiliate to apply a critical security patch intended to stop potential hackers.
“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process,” New York Attorney General Eric Schneiderman said in a statement about the agreement.
Nationwide detected, dealt with and reported the breach. The company “is pleased to have reached a settlement that we believe is consistent with our longstanding commitment to protect customer information,” said spokesman Eric Hardgrove.
Following the breach, Nationwide offered the affected consumers a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor, court records show.
The company also suggested that consumers set up a fraud alert and place a security freeze on their respective credit reports.
However, a Nationwide website with information related to the data breach explained that a security freeze would impede consumers ability to obtain credit, and would cost between $5 and $20 to put in place and remove, court records show. Nationwide did not offer to pay for the potential expenses.
Consumers filed two proposed class-action lawsuits against Nationwide. A federal district court in Ohio combined the cases, and ultimately dismissed the complaints on grounds that the plaintiffs lacked legal standing.
That ruling was partially overturned in a federal appeals court decision last September that sent the combined cases back to the lower court for further proceedings.
Nationwide’s new settlement with the states requires the company to update its procedures for maintenance and storage of consumers’ personal data, conduct regular inventories of computer system security patches and updates and take other steps to safeguard consumer information.
According to the settlement, the states are authorized to use the settlement funds for investigation and litigation costs, consumer protection law enforcement purposes and other programs.