CT Leads $5.5M Multistate Settlement With Nationwide Insurance Co. Over 2012 Data Breach

August 10, 2017 | Reprints | Print

Connecticut has joined with 31 other states and Washington D.C. in a $5.5 million settlement with Nationwide Mutual Insurance Co. and its subsidiary, Allied Property & Casualty Insurance Co., that resolves the states’ investigation into a 2012 data breach that exposed sensitive personal information of 1.2 million consumers across the country.

Nationwide and Allied (collectively, Nationwide), experienced a data breach when, the states’ investigation found on Oct. 3, 2012 that hackers exploited a vulnerability in the companies’ third-party web application hosting software. The states’ investigation found that Nationwide had failed to apply a critical software patch that the third-party software company had deployed in 2009 to address the vulnerability.

The vulnerability allowed hackers to access consumer information that Nationwide collected when providing consumers with quotes for its insurance products. Personal information – including full names, sex, occupations, employer names and addresses, driver’s license numbers and states of issuance, Social Security numbers, marital status, dates of birth and a Nationwide internal credit-related score – was accessed by the hackers.

Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insureds, but the company retained their data in order to more easily be able to provide the consumers additional quotes at a later date. Approximately 774 Connecticut residents were impacted by the breach. The states alleged that the companies’ failure to safeguard consumer information in their possession was in violation of state consumer protection laws.

Connecticut’s share of the settlement funds totals $256,559.28, which will be deposited in the state’s general fund.

In addition to the settlement payment, Nationwide has agreed to be more transparent about its data collection practices by disclosing that they retain information collected from consumers even if the consumers do not become insureds. The companies are required to appoint a qualified individual who is responsible for monitoring and managing software and application security updates and security patch management.