$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement.

Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states.

Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes.

The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies.

In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly sensitive data such as Social Security numbers, driver’s license numbers, and credit scoring information.

The hackers gained access to its systems via a vulnerability in a third-party web application. While not all data breaches are the fault of the breached entity, in this case the breach could easily have been prevented. A patch to address the critical vulnerability had been released by the third-party software company three years earlier. Nationwide had failed to apply the patch. The patch was only applied after the breach occurred.

The data breach investigation was led by Attorneys General for Connecticut, the District of Columbia, Florida and Maryland. Connecticut Attorney General George Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”

Attorney General Schneiderman said, “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” Schneiderman went on to say, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”

The settlement was agreed under a no-fault agreement. In addition to the financial penalty, Nationwide is required to ensure its software is kept up to date, including third-party software applications, and data security must be improved. Nationwide is also required to hire a technology officer to monitor and manage patches and software updates and update its policies and procedures for storing and maintaining consumers’ personal information.

Nationwide must also make clear to consumers that their personal information is retained, even if they do not sign up for insurance policies with the company or its subsidiaries.

Nationwide is not a HIPAA-covered entity, but the settlement does serve as a warning for healthcare organizations that fail to adopt security best practices. OCR is not the only regulator that can issue large fines for the failure to protect sensitive information.

This is just one of several actions taken by attorneys general for data breaches and the response to them. Earlier this year, CoPilot Provider Support Services Inc., was fined $130,000 by the New York Attorney General.

In that case, the fine was not for the breach but the lack of action afterwards. The breach occurred in October 2015, CoPilot contacted the FBI about the incident in February 2016, then delayed the issuing of breach notification letters until January 2017. The fine was not for a HIPAA violation, but a breach of General Business Law § 899-aa for unnecessarily delaying breach notifications to consumers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.