Part of $5.5 million Multistate settlement; personal information of nearly 950 Massachusetts consumers compromised
On August 9, 2017, Attorney General Maura Healey announced that Massachusetts had received more than $100,000 as part of a multistate Assurance of Voluntary Compliance between Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company (Nationwide). The Assurance of Voluntary Compliance resolved an investigation into a 2012 data breach at Nationwide compromising the personal information of over 1.2 million individuals across the country,
The $5.5 million multistate settlement results from an investigation by Attorney General Healey’s Office and the attorney generals in Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia into the 2012 data breach.
In Massachusetts, this case was handled by Assistant Attorney General Sara Cable, Director of Data Security & Privacy in the Attorney General’s Consumer Protection Division.
Nationwide’s data breach exposed personal information for 1.1 million customers and prospective customers
On October 3, 2012, hackers broke into Nationwide’s computer network and stole 1.27 million personal information records about Nationwide’s customers and potential customers who had given Nationwide their personal information to obtain quotes for insurance products. The hacked data included names, dates of birth, marital statuses, genders, occupations, employers, Social Security numbers, and driver’s license numbers
Nationwide informed the persons whose personal information records had been compromised in the breach in a letter that advised taking steps to prevent or mitigate misuse of the stolen data, including monitoring bank statements and credit reports for unusual activity. Nationwide offered a year of free credit monitoring and identity-fraud protection of up to $1 million through a third-party vendor. Nationwide also suggested that affected consumers set up a fraud alert and place a security freeze on their credit reports although Nationwide did not offer to pay for expenses associated with a security freeze.
Data breach allegedly caused by failure of Nationwide to apply security updates
The monetary settlement by Nationwide in its Assurance of Voluntary Compliance arose from the attorney generals asserting that Nationwide failed to apply security patches to its computer systems. As a result, a completely avoidable data breach occurred with the resulting theft of the personal information records for 1.2 million consumers.
As Attorney General Maura Healey stated regarding the settlement: “Nationwide knew their software was vulnerable to hacking but did not promptly address it, leaving sensitive data vulnerable to identity thieves. This settlement holds the company accountable for subjecting our residents to this avoidable risk.”
In the Assurance of Voluntary Compliance, Nationwide specifically denied liability in several ways stating, for example, the settlement:
“shall not in any event be construed or deemed to be, or represented or caused to be represented as, an admission or concession or evidence of any liability or wrongdoing whatsoever on the part of Nationwide/Allied or of any fact or violation of any law, rule, or regulation.
However, notwithstanding Nationwide’s denial, the Assurance of Voluntary Compliance requires Nationwide for three years to:
- appoint a specific person with responsibility to manage and monitor security updates and patches;
- maintain an inventory of the systems processing personal information and the updates and patches applied to such systems;
- maintain a system to assign priority levels to each new security update and patch under consideration and document any exceptions;
- maintaining a system management tool that scans systems that process personal information for “common vulnerabilities or exposures;”
- purchase and install an “automated common vulnerability or exposure feed” from a third-party provider;
- perform an internal patch management assessment on a semi-annual basis that identifies known common vulnerabilities or exposures and confirms required patches have been applied, and, finally;
- hire an independent third party to perform a patch audit annually.
Loss of personal information records in a data breach like Nationwide’s may cost individuals more than just time and money
Attorney General Healey’s Office stated in announcing the multistate settlement with Nationwide, that it is not aware of any fraud or identity theft involving Massachusetts residents related to this data breach. However, in one of the class actions against Nationwide recently reinstated by a federal court of appeals the plaintiffs’ set out what a loss of personal information records in a data breach could cost an individual.
In that complaint, the plaintiffs alleged there is an illicit international market for stolen data, which is used to obtain identification, government benefits, employment, housing, medical services, financial services, and credit and debit cards. Identity thieves also use a victim’s identity when arrested, resulting in warrants issued in the victim’s name
These plaintiffs also cited a study purporting to showing recipients of data-breach notifications, such as in the Nationwide breach were 9.6 times more likely to experience identity fraud, and had a fraud incidence rate of 19% and that victims of identity theft and fraud will “typically spend hundreds of hours in personal time and hundreds of dollars in personal funds,” incurring an average of $354 in out-of-pocket expenses and $1,513 in total economic loss.
Attorney General Office’s recommendation on identity theft
In its release, the Attorney General’s Office advised that anyone who thought they might be the victim of identity theft should view the Federal Trade Commission’s identity theft resource, available at www.consumer.gov/idtheft/. Guidance for businesses on data breaches can be found here.
Copy of the Nationwide Assurance of Voluntary Compliance available
For a free copy of Nationwide Assurance of Voluntary Compliance as agreed with the 31 states and the District of Columbia, send your request to: scotter@agencychecklists.com.
In making this request, if you are not a subscriber, you agree to allow us to add your email to our free subscriber list. We agree that we will not share you email address with anyone.
