Nationwide Mutual Insurance Company and its subsidiary Allied Property and Casualty Insurance Company have agreed to pay more than $5 million as part of a settlement for a data breach that occurred in 2012.

The settlement will split up a total of $5.5 million among 33 states that were involved in the lawsuit. The money will be used by the Attorneys General of each state to cover attorneys’ fees, costs of the investigation and to invest in consumer education.

Read: Target Settlement: Company Will Pay $18.5M For Credit Card Data Breach

The cause for the settlement dates back to Oct. 3, 2012, when Nationwide and Allied fell victim to a data breach that resulted in the exposure of sensitive and personal information of more than 1.27 million people.

The breach exposed names, sex, occupations, driver’s license numbers and Social Security numbers, among other information. Nationwide and Allied didn’t just expose data from its own customers; the breach also included information from people who had applied for insurance plans or quotes in the past.

The incident was believed to be the result of a failure to properly implement a security patch on the insurer’s shared computer systems, allowing a third-party actor to penetrate the system and gain access to troves of sensitive data.

In the wake of the breach, Nationwide did report the attack to law enforcement and attempted to notify all affected individuals who may have had information exposed as a result of the breach. The insurer also provided one year of free credit monitoring to the victims.

Read: FTC: DeVry University Agrees to Pay $100 Million Settlement in False Ads Lawsuit

Despite taking proper steps after the incident occurred, Nationwide and its subsidiary Allied were dinged for failure to prevent the attack in the first place. In addition to the monetary agreement, the companies also are required to provide more transparency about data collection and retention practices to consumers so they know what information is being kept.

The companies will also have to hire an information technology officer per the terms of the settlement. The expert will review the security policies at the insurance outfits and ensure that all systems are up to date.

The information technology officer will help to improve the company’s patch management processes, create and maintain an inventory of all hardware and software operated by the company, review and update policies for incident response, use a tool to document and patch vulnerabilities and report compliance with the terms to the Attorneys General.

While Nationwide and Allied agreed to the settlement, the companies hold that there was no wrongdoing on the part of the companies.

“The settlement agreement does not include any allegations that we violated data security laws. We believe that we have not violated such laws and that at all times our computer security has been compliant with data security laws,” a Nationwide spokesperson said. “The decision to enter into a settlement agreement reflects our desire to continue our strong cybersecurity program and to concentrate on our core business operations.”

States involved in the settlement include Alaska, Arizona, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington and the District of Columbia.

RELATED STORIES
Settlement