It’s happening more and more these days: massive data breaches are affecting companies that people use on a regular basis for business or personal reasons.  Typically, hackers will infiltrate a company’s security system, exposing sensitive and personal information of that company’s customers.  Lawsuits then follow, typically in the form of a class action.  Back in May of this year, Target agreed to pay $18.5 million across 47 states as part of a settlement in a lawsuit stemming from a data breach that occurred in 2013.  As anyone who shops at Target may recall, this particular data breach occurred during the holiday season in 2013 and exposed credit and debit card information of tens of millions of customers.   In total, Target claimed that the 2013 data breach cost the company approximately $290 million.  Notably, following the Target settlement, California Attorney General Xavier Becerra said in a statement, “This should send a strong message to other companies: You are responsible for protecting your customers’ personal information.”

Target is just one of many companies across the country that have fallen victim to data breaches over the last five years.  One of those many other companies, Nationwide Mutual Insurance Company and its subsidiary Allied Property and Casualty Insurance Company (collectively “Nationwide”), recently announced a settlement of a lawsuit relating to a 2012 data breach incident.

In the lawsuit against Nationwide commenced by the Attorneys General of 33 states, it was alleged that in October 2012, Nationwide had a data breach that led to the exposure of personal information, including names, sex, occupations, driver’s license numbers, social security numbers, and other information of more than 1.27 million people.  This personal information was not only from Nationwide’s actual customers but also people who merely applied for insurance plans or quotes from Nationwide.  It was alleged that Nationwide failed to properly implement what is known as a “security patch” on the company’s shared computer systems, a critical measure intended to prevent hacking or computer viruses. This failure to properly implement the patch ultimately allowed hackers to gain access and penetrate the company’s databases, according to the lawsuit.  New York Attorney General Eric Schneiderman described Nationwide’s actions as “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.”  Nationwide denied any liability for the data breach.

On August 9, 2017, it was announced that Nationwide settled the lawsuit by agreeing to pay $5.5 million across the 33 states covered in the lawsuit.  As part of the settlement, Nationwide is also required to provide more transparency to consumers about data collection and retention practices.  In particular, Nationwide is required under the settlement agreement to hire an information technology officer and, over the next three years: (a) update its procedures and policies on maintenance and storage of consumers’ personal data; (b) conduct regular inventories of the patches and updates applied to its systems; (c) maintain and utilize system tools to monitor the security of systems used to maintain personal information; and (d) perform internal assessments of its patch management practices.  Nationwide must also disclose to consumers that it retains their personal information, even if they do not become Nationwide customers.

Interestingly, Nationwide was also named in two separate class action lawsuits after the 2012 data breach that were consolidated into a single lawsuit in federal court in Ohio.  Although the lawsuits were initially dismissed, a federal appeals court partially overturned the dismissal in September 2016 and the consolidated cases were remanded to the lower court for further proceedings.  Those cases were not resolved as part of this settlement.

Certainly, now more than ever, companies that handle and manage personal information should heed the words of the California Attorney General and realize that even smaller companies must have proper cybersecurity measures enacted and policies in place to prevent cyberattacks and to quickly respond to any such attacks to minimize exposure.  Please contact us to discuss how your company can protect itself and your customer data.