Insurer Nationwide “demonstrated true carelessness while collecting and retaining information from prospective customers,” New York Attorney General Eric Schneiderman said Wednesday as 32 states including Florida settled charges related to a data breach.
The breach dates back to 2012. The states allege it was caused by the failure to apply a critical security patch intended to prevent hacking and viruses, resulting in the loss of personal information belonging to 1.27 million consumers including Social Security numbers, driver license and other information.
Information was collected from prospective customers, many of whom did not ultimately buy policies from Nationwide Mutual Insurance Co. or subsidiary Allied Property & Casualty Insurance Co.
Nationwide will pay a total of $5.5 million. It agreed to a series of steps to strengthen security procedures including the hiring of a technology officer to oversee compliance.
A company spokesman said Nationwide does not believe it broke any data security laws:
“More than four years ago, a portion of our computer network used by Nationwide Insurance agents and Allied Insurance agents was subject to a sophisticated, criminal attack. We discovered the attack that day and took immediate steps to successfully contain the attack. We promptly reported the criminal attack to law enforcement authorities and notified individuals whose personal information we believed may have been compromised. We also offered those individuals a free credit monitoring and identity theft protection product.”