Nationwide Will Pay North Carolina and 32 States $5.5 Million for October 2012 Data Breach

The data breach resulted in a loss of personal information affecting 1.27 million consumers

Nationwide Will Pay North Carolina and 32 States $5.5 Million for October 2012 Data Breach
Image: Pexels
August 16, 2017

North Carolina Attorney General Josh Stein says that North Carolina has reached a settlement with the Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, concerning an October 2012 data breach.

The breach

The data breach, which was alleged to have been caused by the failure to apply a critical security patch, resulted in a loss of personal information affecting 1.27 million consumers. The breached information included social security numbers, driver's license numbers, credit scoring information, and other personal data.

"Data security must be a top priority," said Attorney General Stein. "People must be able to rely on the companies they do business with to keep their personal information safe. I will do everything in my power to protect North Carolinians from the risk of identity theft."

Terms of the settlement

In addition to paying $120,394 to North Carolina, the settlement requires Nationwide to take the following steps to update its security practices and ensure timely application of patches and other security software updates:

  • Hire a technology officer responsible for monitoring and managing software and application security updates;
  • Update its procedures and policies relating to the maintenance and storage consumers' personal data;
  • Conduct regular inventories of the patches and updates applied to its systems used to maintain consumers' personal information;
  • Maintain and utilize system tools to monitor the health and security of these systems;
  • Perform internal assessments of patch management practices and hire an outside, independent provider to perform an annual audit of practices regarding the collection and maintenance of personal information; and
  • Disclose to consumers that Nationwide will retain personal information even if a consumer does not purchase insurance after receiving a quote.

In total, Nationwide will pay the states involved $5.5 million. In addition to North Carolina, the settlement was joined by the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.