It appears that the insurance company Nationwide, despite its catchy slogan, may not be on your side. Nationwide Mutual Insurance Company has just settled a legal complaint brought against it by the attorneys general of 32 states and the District of Columbia related to a 2012 data breach in which sensitive personal information including Social Security numbers of 1.2 million of its customers and even people who merely applied for insurance quotes and did not buy insurance from Nationwide was stolen in a massive hacking and data breach.
Under the terms of the settlement Nationwide will pay 5.5 million dollars to the states’ attorneys general who will use the funds to cover the costs of the investigation and legal action against Nationwide as well as to assist in future consumer protection enforcement cases.
Two class actions by injured consumers regarding the data breach are still pending in the courts.
The key reason for the liability of Nationwide in this case is that the data breach was made possible due to the failure of Nationwide to update their security software with patches that were already available. Had Nationwide installed the security updates in a timely fashion, the hacking and data breach would have been thwarted.
In addition to the 5.5 million dollar payment, Nationwide is also required under the terms of the settlement to update its security practices, install security updates in a timely manner and take other specified steps to protect consumers’ data. Nationwide is also required to notify consumers that the company keeps their personal information even if the consumer does not become a customer of Nationwide.
You will continue to see legal actions, settlements and court decisions such as this in the future as law enforcement is increasingly holding companies responsible for their faulty security practices. As New York Attorney General Eric Schneiderman said, “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.”
So what does this mean to you and me?
Once again, this shows that regardless of how protective you are of your personal information, you are only as safe as the companies and institutions with the weakest security that have your information. Try as much as you can to limit providing personal information to companies unless there is a real need and inquire as to what the companies do to protect your data. In addition, as I have advised many times, the best thing you can do to protect yourself from identity theft is to put a credit freeze on your credit reports at the three major credit reporting agencies. You can learn how to do this by going to the “search the website” section of Scamicide and putting in the words “credit freeze.”