Attorney general announces multi-state settlement with Nationwide

TRENTON, NJ — Attorney General Christopher S. Porrino announced Aug. 9 that New Jersey, along with 31 other states and the District of Columbia, has entered into a settlement with Nationwide Mutual Insurance Company that resolves allegations linked to a data breach that compromised the personal identifying information of more than one million consumers.

The multi-state settlement, which also includes Nationwide subsidiary Allied Property and Casualty Insurance Company, flows from an investigation by the participating states into a 2012 data breach that resulted in the loss of social security numbers, driver’s license numbers, credit scoring information and other personal data belonging to 1.27 million consumers.

The states alleged that the October 2012 breach was caused by Nationwide’s failure to apply a critical security patch to its data system, which contained personal information collected by the company in order to provide insurance quotes. The breach affected both consumers who were insured by Nationwide and persons who had sought quotes but never became insured by the company.

“This is an important settlement for consumers in New Jersey and across the nation, because it requires Nationwide to take specific steps designed to enhance its security measures and better protect the personal information of customers and prospective customers,” Porrino said in a press release. “We live in a world where, for most consumers, it’s difficult if not impossible to avoid having their personal information end up stored in multiple databases. Businesses that collect and keep such data have a duty to safeguard the information. When they fail to do so — when they fail to exercise the appropriate level of care in storing consumer data — our commitment is to hold them accountable.”

The settlement announced Aug. 9 requires Nationwide to take a variety of steps both to generally update its security practices and to ensure the timely application of patches and other updates to its security software.

Nationwide also must hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.

In addition, Nationwide has agreed to take steps during the next three years to strengthen its security practices, including updating its procedures and policies relating to the maintenance and storage of consumers’ personal data; conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal identifying information; maintaining and utilizing system tools to monitor the health and security of their systems used to maintain personal identifying information; and performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of personal identifying information.

Although many consumers whose data was lost as a result of the 2012 breach never became Nationwide customers, the company retained their data in order to more easily provide them re-quotes at a later date.

The multi-state settlement requires Nationwide to be more transparent about its data collection practices by disclosing to consumers that it retains their personal identifying information even if they do not become Nationwide customers. In addition to its injunctive terms, the settlement calls on Nationwide to make a total payment of $5.5 million to the participating states. New Jersey’s share is approximately $101,000.

In addition to New Jersey, the Nationwide settlement has been joined by the attorneys general of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.