On October 3, 2012, Nationwide Mutual Insurance Company and its wholly-owned subsidiary Allied Property & Casualty Insurance Company experienced a data breach when a hacker exploited a vulnerability on the companies’ web application hosting software. This hack resulted in the compromise of the personal information of 1.27 million consumers, including social security numbers, driver’s license numbers, credit scoring information, and other data used to provide insurance quotes.
Many of the affected consumers were not actually insured by Nationwide, but their personal information was retained in order to facilitate the provision of quotes in the future.
On August 9, 2017, the attorneys general for 32 states and the District of Columbia reached a settlement with Nationwide, acting for itself and for its subsidiary, Allied, in culmination of two class-action lawsuits brought by consumers in reaction to the data breach. The settlement represents a combined effort of state attorneys general to address regulatory claims and fines, and assess the question of civil liability for companies that fail to properly safeguard consumer information. Attorneys General already work together in relation to multi-state data breaches through the National Association of Attorneys General (“NAAG”) and other collaborative fora. Despite Nationwide’s denial that the state attorneys general had jurisdiction over the Nationwide matter, this settlement underscores the significant multi-state regulatory risk for companies arising from a breach.
Under the terms of the settlement agreement, Nationwide will pay $5.5 million to states with affected residents. Of the total payout, New York will receive $104,000, for its 2,810 affected residents. These funds will be put toward consumer protection or privacy law enforcement as well as related litigation and investigation expenses, consumer education, and consumer aid. As part of the settlement, Nationwide must also adopt a policy of greater transparency regarding its data collection policy, update its internal security procedures, regularly monitor its systems, and hire an information technology officer responsible for monitoring application security updates and security patch management.
The Nationwide settlement shows the double- or even triple-edged nature of the patchwork of state data breach notification and data security laws (of which there are currently 48 different state variants). On the one hand, even a small data breach can create incredible complexity, as the breached entity struggles to meet its varied and – – at times – – varying reporting and security obligations under state law. On the other hand, attorneys general are willing to work together to resolve regulatory claims, which can reduce complexity, in that the breached entity may only have to strike one settlement deal, instead of negotiating a separate settlement in each jurisdiction. However, attorneys general who work together on data breach claims may be able to apply more leverage against the breached entity than they would alone. Case in point: New York State, which had only 2,810 affected residents (out of the total pool of 1.27 million affected individuals), was still able to participate in the settlement.
The lesson to be learned from the Nationwide settlement: attorneys general are keenly focused on the issue of multi-state breaches and a company is well served looking at its state-law obligations before a breach, rather than scrambling to assess multi-state risk in the fog and confusion that inevitably arises post breach.