On August 9, 2017, attorneys general representing 32 states and the District of Columbia announced a settlement with Nationwide Mutual Insurance Co. and its unit Allied Property & Casualty (collectively, “Nationwide”) to resolve the states’ investigation into the company’s 2012 data breach. Under the terms of the Assurance of Voluntary Compliance (“AVC”), found here, Nationwide will pay $5 million to the states.

According to a press release by Florida Attorney General Pam Bondi, Nationwide experienced a criminal data breach in October 2012 that impacted 1.27 million consumers. The AVC alleges that the data breach occurred when hackers exploited a vulnerability in Nationwide’s web application hosting software. After the data were exfiltrated, Nationwide addressed the software vulnerability by applying a software patch that was not previously applied, according to the AVC.

The data breach may have resulted in the loss of consumers’ Social Security numbers, driver’s license numbers, credit scoring information and other personal data. Nationwide collected this personal information to provide insurance quotes to consumers applying for insurance, according to Attorney General Bondi.

In addition to the $5.5 million settlement, Nationwide also agreed to take the following steps during the next three years to strengthen its security practices:

  • Updating procedures and policies relating to the maintenance and storage of consumers’ personal data;
  • Conducting regular inventories of the patches and updates applied to its systems, performing internal assessments of patch management practices and hiring an independent provider to perform annual audits; and
  • Maintaining and utilizing system tools to monitor the health and security of systems used to maintain personal information.

State attorneys general have been active in investigating data breaches and promoting effective cybersecurity standards. The latest settlement continues that pattern but is particularly noteworthy for two principal reasons:

  • First, the settlement figure of $5.5 million is large given the number of customers impacted, which is comparatively small when viewed in the context of other recent, large state breach settlements.This is likely due to the sensitivity of the information exposed. Other breaches often have involved payment card information, which is typically considered less sensitive because consumers can be issued new credit and debit cards.
  • Second, the settlement demonstrates the states’ continued interest in investigating data breaches and establishing comprehensive cybersecurity standards. State attorneys general are interested not only in monetary payment, but also in requiring companies to take steps to strengthen its security practices. As a result, companies that collect and store personal information should closely monitor these AVCs to ensure that they have proper security controls in place.

Florida was a “lead state in the investigation,” according to Attorney General Bondi's office. The other AG offices participating are those of Alaska, Arizona, Arkansas, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.