Rutledge, Nationwide Insurance Reach Settlement
August 9, 2017
Arkansas will receive over $100,000
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge, along with 32 other attorneys general, have reached a settlement with the Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company.
The settlement resolves issues that arose from an October 2012 data breach in which Nationwide allegedly failed to apply a critical security patch, resulting in the loss of personal information belonging to 1.27 million consumers. This personal information included social security numbers, driver’s license numbers, credit scoring information and other personal data.
“Nationwide had the capability to protect the personal information of Arkansans, but it allegedly failed to act,” said Attorney General Rutledge. “This action exposed the personal information of consumers to con artists and placed their credit and identity at risk.”
The settlement requires Nationwide to take a number of steps to both generally update its security practices and to ensure the timely application of patches and other updates to its security software. Nationwide must also hire a technology officer responsible for monitoring and managing software and security updates, including supervising employees responsible for evaluating the maintenance, management and application of all security patches and software updates. Additionally, Nationwide agreed to take steps during the next three years to strengthen its security practices, including:
- Updating its procedures and policies relating to the maintenance and storage of consumers’ personal data.
- Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information.
- Maintaining and utilizing system tools to monitor the health and security of their systems used to maintain consumers’ personal information.
- Performing internal assessments of its patch management practices and hiring an independent provider to perform an annual audit of its practices regarding the collection and maintenance of consumers’ personal information.
Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insureds, but the company retained their data in order to more easily provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personal information even if they do not become its customers.
In addition to the injunctive terms, Nationwide agreed to make a payment of $5.5 million to the states of which Arkansas will receive $100,795.23.
The settlement was joined by the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.