Tag Archives: Nationwide

Nationwide Agrees to Settle Breach Investigation for $5.5 Million

Nationwide settled their 2012 data breach investigation with 32 state attorneys general to the tune of $5.5 million. The settlement includes several security practices Nationwide is required to incorporate going forward.

Breach Background

Nationwide suffered a breach in October 2012 leading to the unauthorized access and exfiltration of personal information of 1.2 million customers and other consumers. Compromised information included: Names, Social Security numbers, driver’s license numbers, credit scoring data, and other data used to provide consumers with insurance quotes.

The attorneys general investigation alleged Nationwide failed to apply a critical security patch that was released in 2009. As a result, hackers leveraged the vulnerability in Nationwide’s web application hosting software to steal the data.

Settlement Terms

Under the settlement, Nationwide is tasked with updating their patch management process, along with hiring an individual to manage the procedures for security updates.

In the next three years, Nationwide must:

  • Maintain an inventory of all systems processing personal information and the updates and patches applied to them
  • Maintain tools to scan systems processing personal information for common vulnerabilities
  • Perform internal assessments of its patch management process semi-annually, and have an independent party perform an annual audit of the patch management process

Sixth Circuit Finds Breach Victims’ Heightened Risk of Harm Establishes Standing

The Sixth Circuit has made it easier for victims of a data breach to proceed in court. In a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company, the appellate court ruled that fear of future harm following a data breach is sufficient to establish Article III standing.

Nationwide Data Breach

Nationwide Mutual Insurance Company suffered a data breach on October 3, 2012. Hackers gained access to Nationwide’s computer network and stole personal information of 1.1 million customers. The stolen information included the following: name, date of birth, Social Security number, driver’s license number, gender, marital status, occupation, and employer.

Victims learned of the breach when they received a notification letter from Nationwide. Due to requirements in breach notification laws, Nationwide’s letter offered suggestions for victims to mitigate any potential harm. Suggestions included monitoring bank account statements and credit reports, along with placing a security freeze on credit reports. Nationwide also offered one year of free credit monitoring and identity theft protection services in the notification letter.

Lawsuit

The data breach victims pulled together a lawsuit against Nationwide asserting claims for negligence, bailment, and violation of the Fair Credit Reporting Act. Victims claimed the data breach presented an “imminent, immediate, and continuing increased risk” of identity fraud. There is a widely recognized market for stolen data, and victims allege that creates a reasonable risk of identity theft as a result of the data breach. The data breach victims also claimed they incurred financial costs as they purchased mitigation services to protect against the risks of identity fraud.

District Court Decision

The district court granted Nationwide’s motion to dismiss concluding that the victims did not allege a cognizable injury and didn’t have Article III standing to proceed. Additionally, the court ruled that there was no statutory standing under FCRA and they lacked jurisdiction over the claim. Unsurprisingly, the breach victims appealed the ruling.

Just to recap, parties looking to sue under Article III standing must be able to show they have suffered actual or threatened injury, the injury can be fairly traced back to the action of the defendant, and that it’s likely to be redressed by a favorable court decision.

Sixth Circuit Decision

The Sixth Circuit reversed the district’s decision and remanded the case to the district court. The Sixth Circuit held that victims did suffer an injury in fact, the injury is fairly traceable to Nationwide’s actions, and it’s likely to be redressed by a favorable court decision.

According to the Sixth Circuit, the victims’ allegations of “a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury.” Basically, when a data breach targets personal information, it’s reasonable to infer the information will be used for fraudulent purposes. Further, the costs incurred to victims for mitigating the risk of harm represent a sufficient concrete injury itself.

This conclusion is consistent with two recent decisions from the Seventh Circuit in the cases against Neiman Marcus and P.F. Chang’s.

Key Takeaway

This decision by the Sixth Circuit is the latest in a series of key decisions concluding that data breach victims have Article III standing without having alleged actual fraud or identity theft.

This case is also interesting because of how the notification letter was used against Nationwide in the decision. The notification letter offered victims credit monitoring and identity theft services. The Sixth Circuit cited this as an action showing Nationwide’s recognition of the risk of harm presented by the data breach.

There’s growing concern that these types of mitigation services could be held and used against companies in future lawsuits. Many companies offer these types of services in the wake of a data breach. Some state breach notification laws actually require companies to offer victims mitigation services. This presents a tough situation because companies might be forced to rethink their steps in responding to a data breach.