WASHINGTON, D. C. – Attorney General Karl A. Racine announced today that his office has reached a $5.5 million settlement with the Nationwide Mutual Insurance Company and a subsidiary in a 33-state investigation over an October 2012 data breach that exposed nearly 1.3 million consumers’ personal information. The Office of the Attorney General (OAG) Office of Consumer Protection led the investigation of Nationwide and its subsidiary, Allied Property & Casualty Insurance Company.

The attorneys general allege the data breach was caused by Nationwide’s failure to apply a critical security patch to its software. This failure resulted in the exposure of sensitive personal information belonging to 1.27 million consumers, including 168 District residents. That data included customers’ Social Security numbers, driver’s license numbers, credit scores, and other private information that Nationwide originally collected to provide insurance quotes to customers.

“Consumers in the District and across the nation entrust their personal information to retailers every day,” Attorney General Racine said. “Data breaches open the door to identity theft, which can have real and devastating consequences for hard-working people, and we hope today’s settlement reminds retailers that they have a responsibility to do everything they can to protect consumers’ private information.”

The settlement requires Nationwide to update its security practices and ensure the timely application of patches and other updates to its security software. Nationwide must hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.

Additionally, Nationwide agreed to take steps during the next three years to strengthen its security practices, including:

• Updating its procedures and policies relating to the maintenance and storage of consumers’ personal data;
• Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information;
• Maintaining and utilizing system tools to monitor the health and security of its systems used to maintain personal information;
• Performing internal assessments of its patch management practices;
• And hiring an independent outside provider to perform an annual audit of its practices regarding the collection and maintenance of personal information.

Many of the consumers whose information was exposed as a result of the data breach were consumers who never actually purchased insurance from Nationwide, but the company retained their data in order to more easily provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personal information even if they do not become its customers.

In addition to instituting these new security practices as part of the settlement, Nationwide also agreed to make a payment of $5.5 million to the states. The District’s share of the settlement is $200,223.44.

“Many thanks to Phil Ziperman, the Director; and Jimmy Rock, the Deputy Director, of our Office of Consumer Protection for their hard work in leading this investigation,” Attorney General Racine said. “They and their team have worked hard in the last two years to turn the District into a national leader on major multi-state actions to protect consumers.”

In addition to Attorney General Racine, attorneys general from Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, and Washington state also joined the settlement. A copy of the final agreement is available here.

Protecting Your Personal Privacy
To learn more about how to protect your personal information from scammers or how to spot signs of identity theft, OAG offers resources you can download and reprint through our online Consumer Education Library at this link.

Reporting Consumer Complaints
If you believe you may have been a victim of identity theft or your personal information may have been exposed by a retailer, you can report it to OAG’s Office of Consumer Protection through the OAG Consumer Hotline at (202) 442-9828, by sending an e-mail to consumer.protection@dc.gov, or online using OAG’s Consumer Complaint Form.