Major insurance company Nationwide Mutual Insurance has voluntarily settled with the attorney generals of 32 states and the District of Columbia. Nationwide has agreed to pay all the attorney generals varying amounts of money totaling to $5.5 million. This was the settlement amount for Nationwide failing to prevent a data breach that happened in 2012 where 1.27 million consumers personal information was exposed.
The attack done by cyber criminals, was successful in stealing social security numbers, driver’s license data, credit scoring information, and other personal data. The data that was stolen is typically used when giving a quote to customers. Nationwide had failed to apply a critical security patch which would have prevented the hackers from getting into their network. Nationwide was able to quickly detect the breach and take steps to mitigate the damage. However what was stolen has cost them $5.5 million in settlement, excluding legal fees, and would have been more if taken through the entire legal battle.
This settlement is much more than just a financial penalty to Nationwide. They will be required to change their data management processes in regards to maintenance and storage of consumer personal data. Additionally, Nationwide will have to conduct more frequent reviews of their system status and apply all patches and updates as they come. Above all Nationwide must overhaul their current security procedures to better safeguard consumer information.
After the breach Nationwide offered the standard year of free credit monitoring and identity-fraud protection via a third party vendor. The company also offered what would seem to be contradictory advice to consumers who may have been affected. Nationwide had suggested to consumers that they freeze their credit reports and set up a fraud alert on those reports. Nationwide later stated on a website related to the breach that a security freeze on their credit reports would prevent consumers from gaining credit. That in addition to a $5 to $20 fee to even put the freeze in place and remove it later. Nationwide did not offer to pay this for those consumers who did decide to take put one in place.
For the states involved in the settlement, they are authorized to make use of the money for litigation costs, law enforcement, and consumer security related programs.
This settlement reflects the prolonged damage a data breach can cause an organization. Brand equity erodes, litigation costs, loss of customers, new regulations, and much more are the end result of not maintaining systems. This breach happened 5 years ago and has kept Nationwide locked in a legal battle with 32 states and the District of Columbia just to reach a settlement. The length and scope of the case likely cost millions more than the final settlement.
In 2017 alone there have been many more breaches which you may hear the final outcomes for years from now. Some of the companies who were victims of breaches were E-Sports Entertainment Association, InterContinental Hotel Group, Arby’s, River City Media, Verifone, Saks Fifth Avenue, UNC Health Care, IRS, Chipotle, K Mart, and Docusign. These were just a few of this year’s victims. The scope of each breach was significant and will likely generate some court cases in the future.
Organizations should not wait until there is an incident to make sure their security practices are up to date. Instead proactive measures should be taken to mitigate the chance of a breach from external malicious actors. However, in most of the breaches listed above it was insider threats that caused the breaches.
Human negligence is what companies should be worried about, thankfully there are security solutions that can help you prevent insider threat while alerting you of odd behavior in your network. Teramind offers a flexible security solution that uses the latest developments in security technology to help you prevent insider incidents and detect compromise in your system. Find out more at Teramind.co.