On August 9, a national insurance company and its wholly-owned subsidiary reached a $5.5 million settlement with 32 states and the District of Columbia to resolve the states’ investigation into a 2012 data breach, which allegedly caused the personal information of certain consumers to be compromised—including social security and driver’s license numbers, as well as credit scoring information and other data. According to the states’ investigation, the October 2012 data breach occurred when hackers were able to exploit a vulnerability in the company’s website application hosting software. A security patch was later applied. Under the terms of the Assurance of Voluntary Compliance, the company agreed to a number of requirements, including:

  • providing an online disclosure notifying consumers that personal information is retained even if they do not become insured;
  • appointing an individual to oversee company security practices and manage and monitor software and application security updates, including security patch monitoring; and
  • hiring an outside, independent provider to conduct a “patch management audit” of the company’s covered systems.

The majority of the requirements last three years.

The company, while admitting that it experienced a data breach, denied any liability or wrongdoing.