For Immediate Release - August 09, 2017

State Receives $100,000 Payment Following AG Investigation Into Nationwide Insurance Company Data Breach

Part of $5.5 Million Multistate Settlement; Personal Information of Nearly 950 Massachusetts Consumers Compromised

BOSTON – Massachusetts has received more than $100,000 as a result of a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company (Nationwide), that resolves a multistate investigation into a data breach that compromised the personal information of more than one million people across the country, Attorney General Maura Healey announced today.

The $5.5 million multistate settlement is the result of an investigation by AG Healey’s Office along with 31 other states and the District of Columbia into the 2012 data breach allegedly caused by Nationwide’s failure to apply a critical software security patch.

The breach resulted in the loss of personal information belonging to 1.27 million consumers, with nearly 950 in Massachusetts, including their social security numbers, driver’s license numbers, credit scoring information, and other personal data. The lost personal information was collected by Nationwide in order to provide insurance quotes to consumers applying for insurance. AG Healey’s Office is not aware of any fraud or identity theft involving Massachusetts residents related to this data breach.

“People shopping for financial products should be assured that companies collecting their personal information will protect it no matter what,” said AG Healey. “Nationwide knew their software was vulnerable to hacking but did not promptly address it, leaving sensitive data vulnerable to identity thieves. This settlement holds the company accountable for subjecting our residents to this avoidable risk.”

The multistate settlement requires Nationwide to take a number of steps to both generally update its security practices and to ensure that it keeps software up-to-date, including by timely applying patches and other updates to its software. Nationwide must also hire a technology officer responsible for monitoring and managing software and application security updates, including supervising employees responsible for evaluating and coordinating the maintenance, management, and application of all security patches and software and application security updates.

Many of the consumers whose data was lost as a result of the data breach were consumers who never became Nationwide’s insureds, but whose information was retained by the company in order to provide the consumers re-quotes at a later date. The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose to consumers that it retains their personal information even if they do not become its customers.

If you believe that you have been the victim of identity theft, you will need to take additional steps to protect your credit and your personal information. For additional information, view the Federal Trade Commission's identity theft resource, available at www.consumer.gov/idtheft/. Guidance for businesses on data breaches can be found here

In Massachusetts, this case was handled by Assistant Attorney General Sara Cable, Director of Data Security & Privacy in the AG’s Consumer Protection Division. 

The settlement was joined by the Attorneys General of Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.