On August the 9th, Attorney General Brian E. Frosch announced that he and Attorney Generals for 32 other states had reached a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. The settlement concerns an October 2012 data breach, which impacted roughly 1.27 million consumers. 12,655 Marylanders were affected by the breach.
Nationwide will now be required to pay the 33 states $5.5 million. It was alleged that the data breach occurred, due to the company’s failure to implement a security patch. The breach resulted in the personal information belonging to 1.27 million consumers being lost. The information included the consumers’ social security numbers, driver’s license numbers, credit scores, and other data. The information was collected when consumers attempted to apply for insurance quotes with the company.Maryland Attorney General Frosch made a statement about the settlement. “Consumers’ personal information is vulnerable and sensitive in this digital age. Companies must establish security measures that will protect that important information. As a result of this settlement agreement, Nationwide must bolster its security protocols to protect its customer information and it must fully disclose to everyone whose information is collects what its policies are.”
Besides the $5.5 million fine, the company is also required to take steps to enhance security practices and ensure timely application of future patches. Nationwide will also be required to hire a technology officer who will be solely responsible for monitoring and managing updates, as well as supervising employees responsible for evaluating and coordination security updates.
Many of the individuals who became victims of the data breach were not even insured by Nationwide. Nevertheless, the company was retaining their data for future use. Thanks to the settlement, Nationwide will now be required to exhibit more transparency about its data collection practices. The company will need to disclose its practices to consumers even if those consumers do not become customers.