![clawbies-winner-2017[1].png](https://images.squarespace-cdn.com/content/v1/58abb6feff7c506eef3184c8/1514913705171-XQC3OK2VK4NGFLO27W9P/clawbies-winner-2017%5B1%5D.png)
On August 9, 2017, it was announced that Nationwide Mutual Insurance Company and its subsidiary Allied Property & Casualty Insurance Company (collectively “Nationwide/Allied”) settled an investigation by 33 state attorneys general into an October 2012 data breach that resulted in the unauthorized disclosure of personal information of 1.27 million consumers. The settlement provides useful cybersecurity guidance.
The Data Breach
The settlement agreement describes the data breach as a criminal intrusion by hackers who exploited a vulnerability in Nationwide/Allied’s web application hosting software. The settlement agreement explains that Nationwide/Allied addressed the software vulnerability by applying a software patch that was not previously applied.
The settlement announcements (e.g. New York and Maryland) explain that the breached data included personal information (e.g. social security numbers, driver’s license numbers and credit scoring information) of Nationwide/Allied customers and of individuals who applied for insurance quotes but never became Nationwide/Allied insureds. (Nationwide/Allied retained data for applicants to more easily provide re-quotes at a later date.)
After the data breach was discovered, Nationwide/Allied offered affected individuals free identity theft protection and credit-monitoring services.
The Settlement
The settlement agreement requires Nationwide/Allied to pay a total of $5.5 million to the participating states.
The settlement agreement requires Nationwide/Allied to maintain an online disclosure that personal information collected from an individual who does not become a Nationwide/Allied insured will be retained by Nationwide/Allied while the individual’s account is active or to provide services, and as required or permitted by law.
The settlement agreement requires Nationwide/Allied to improve its data security practices. Following is a summary of some of those requirements:
1. Accountability: Appoint a Patch Policy Supervisor (responsible for the regular review and revision of security policies regarding software and application security updates and patch management for relevant IT systems, including policies for the reasonable and timely application of security updates and patches) and a Patch Supervisor (responsible for executing applicable policies for software and application security updates and patch management for relevant IT systems, including applying security updates and patches and the use of related tools/services).
2. Inventory/List: Maintain and update, on a semi-annual basis, an inventory of relevant IT systems and a list of applicable software and application security updates and patches, and use the inventory/list for related security activities.
3. Incident Management: Regularly review and update an incident management policy and procedures.
4. System Management Tools/Services: Procure, deploy and maintain a system management tool or service to provide information and real-time updates for known common vulnerabilities and exposures (“CVEs”) for relevant IT systems, and to scan relevant IT systems for CVEs.
5. CVE Feed: Procure a commercial CVE notification and feed service and implement related internal processes and procedures for relevant IT systems.
6. Internal Patch Management Assessment: On a semi-annual basis, conduct an internal patch management assessment of relevant IT systems for review by the Patch Supervisor.
7. Patch Management Audit: On an annual basis, hire an outside, independent provider to perform a patch management audit of relevant IT systems.
The settlement agreement confirms that it is not an admission of liability or wrongdoing by Nationwide/Allied. The settlement is limited in scope, and does not apply to other claims (including consumer class actions) against Nationwide/Allied relating to the data breach.
Comment
The practices and procedures required by the settlement agreement are generally consistent with cyber risk management guidance (including guidance regarding patch management) issued by government agencies, regulators and self-regulatory organizations. For example, Government of Canada Get Cybersafe Guide for Small and Medium Businesses; Investment Industry Regulatory Organization of Canada Cybersecurity Best Practices Guide for IIROC Dealer Members; Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guidance; Mutual Fund Dealers Association of Canada Bulletin – Compliance (No. 0690-C); U.S. National Institute of Standards and Technology Small Business Information Security: The Fundamentals; U.S. Federal Trade Commission Protecting Personal Information: A Guide for Business; U.S. Federal Trade Commission Start with Security: A Guide for Business; and Securing Personal Information: A Self-Assessment Tool for Organizations published jointly by the Privacy Commissioners of Canada, British Columbia and Alberta.
For more information about data security incident response plans, see Data Security Incident Response Plans — Some Practical Suggestions.