More than a million Nationwide Mutual Insurance Co. customers will get a piece of the $5.5 million multi-state settlement the company is paying out following a a 2012 data breach.
Ohio-based Nationwide and its subsidiary, Allied Property & Casualty Insurance Co., will also enhance its online security practices as part of the settlement and pay $321,837 to Iowa’s consumer education and litigation fund, according to a press release issued Thursday by the Iowa Department of Justice.
As a result of the October 2012 breach, personal information from 1.27 million consumers — including some who were only prospective customers — was exposed, among them 91,620 Iowans, according to the release. The personal data, collected for the purposes of providing insurance quotes, included Social Security numbers, driver’s license numbers, and credit-scoring information.
The 32 states plus the District of Columbia allege the breach occurred after Nationwide failed to apply a critical security patch, the release states.
“Companies that collect or store personal data must understand that they need to protect it,” Attorney General Tom Miller said. “Data breaches like this expose consumers to identity theft, financial harm, a loss of privacy, and added stress.”
Per the settlement, the insurer will be required to:
- Take steps to generally update security practices
- Timely apply security patches and other updates to its security software
- Hire a technology officer to monitor and manage software and application security updates; and to supervise employees responsible for evaluating and coordinating the company’s maintenance, management, and application of security patches and software and application security updates
In the next three years, the company also is to:
- In the next three years, update procedures and policies relating to the maintenance and storage consumers’ personal data
- In the next three years, conducting regular inventories of the patches and updates applied to its systems
- In the next three years, performing internal assessments of its patch management practices
- Hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of PII
