On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals.

The settlement comes on the heels of a multistate investigation into the circumstances surrounding the breach. In October 2012, Nationwide and its affiliate, Allied Property & Casualty Insurance Co. (“Allied”), suffered a breach that resulted in unauthorized access to, and exfiltration of, certain personal information of their customers and other consumers, including names, Social Security numbers, driver’s license numbers, credit scoring data and other data collected to provide quotes to consumers applying for insurance coverage. Attorneys general from the 32 states alleged that the breach occurred when hackers exploited a vulnerability in a third-party web application hosting software used by Nationwide and Allied. According to the attorneys general, Nationwide and Allied had failed to deploy a critical software patch that was released in 2009 to address the vulnerability.

Under the terms of the settlement, Nationwide and Allied agreed to take a series of steps for a period of three years from the effective date of the agreement, including:

  • appointing an individual responsible for managing and monitoring software and application security updates and patches;
  • maintaining an inventory of all systems that process personal information as well as the updates and patches applied to such systems. Nationwide and Allied also must assign a priority level to each new security update and patch under consideration and document the basis for any exceptions;
  • regularly reviewing and updating incident management policies and procedures;
  • maintaining a system management tool that scans systems that process personal information for “common vulnerabilities or exposures” (“CVEs”) and provides near real-time updates regarding known CVEs;
  • purchasing and installing an “automated CVE feed” from a third-party provider;
  • implementing processes and procedures that provide for internal notification, evaluation and documentation of identified CVEs;
  • performing an internal patch management assessment on a semi-annual basis that identifies known CVEs, assigns them a risk rating, confirms appropriate patches have been applied, and documents the basis for any exceptions; and
  • hiring an independent third party to perform a patch management audit on an annual basis.

The settlement further requires Nationwide and Allied to notify consumers that it retains their personal information, even if they do not become insureds.