Nationwide Mutual Insurance Co. is being ordered to pay nearly $104,000 to New York State after a company data breach resulted in the loss of personal information of more than 2,800 New Yorkers, the state attorney general’s office announced Wednesday.
The settlement between the Columbus, Ohio-based company and 33 states, including New York, mandates that Nationwide and its Allied Property & Casualty Insurance Co. subsidiary must pay a total of $5.5 million and improve data security. The breach, which took place in 2012, led to personal information loss for 1.27 million consumers across the country.
“Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process,” New York State Attorney General Eric T. Schneiderman said in a statement.
In the settlement, Nationwide did not admit to any liability or wrongdoing.
“We are pleased to have reached a settlement that we believe is consistent with our longstanding commitment to protect customer information,” Eric Hardgrove, Nationwide’s director of public relations, said in a statement. “The settlement agreement does not include any allegations that we violated data security laws,” he said.
Many of the consumers impacted by the breach are not Nationwide customers but had supplied the company with personal information — including Social Security numbers and credit score information — while applying for insurance plans. Nationwide retained the data to provide potential quotes in the future.
The states in the settlement allege that the breach was caused by Nationwide’s “failure to apply a critical security patch intended to prevent hacking,” a release from the attorney general’s office said.
After the breach, consumers were given free credit monitoring, identity theft protection and identity fraud coverage of up to $1 million.