Major Insurance Company Fined Millions of Dollars for Data Breach

 
Sunday, September 10, 2017

Currently, there is no shortage of regulatory and legal actions against companies that fail to maintain a robust and comprehensive cybersecurity program. One recent action involved Nationwide Mutual Insurance Company and one of its subsidiary entities, Allied Property & Casualty Insurance Company (subsequently referred to collectively as “Nationwide”), following a criminal data breach. The breach at issue may have resulted in the loss of sensitive information—such as social security numbers and birthdates—belonging to 1.27 million consumers.

Hackers successfully exploited a vulnerability in Nationwide’s web application hosting software, and were able to gain access to the sensitive information. After the breach, Nationwide applied a software patch that was not in place at the time of the hack, in an effort to address the software vulnerability. While Nationwide admitted that the breach occurred, it denied any wrongdoing or liability as a result of the breach.

The Attorneys General of 33 states, who are tasked with enforcing consumer protection laws in their respective states, entered into an Assurance of Voluntary Compliance (“Voluntary Assurance” or the “Agreement”) along with Nationwide, in which the company agreed to meet certain requirements. Along with an online disclosure informing individuals that their personal information is retained while they maintain an active account or to provide services, Nationwide was also required to elect an information technology officer (“ITO”). According to the terms of the Voluntary Assurance, the ITO will be tasked with a number of responsibilities aimed at preventing another data breach, like the one previously experienced by Nationwide. For example, he or she will be responsible for instituting a process to review and revise Nationwide’s security policies related to software and application security updates and security patch management.

In addition, the newly elected ITO will also be responsible for overseeing and managing software and application security updates and security patch management, and supervising, coordinating and evaluating patch management tool(s). A full list of responsibilities to be met by the ITO is provided in the text of the Voluntary Assurance, which can be accessed here.

In addition to the requirements outlined in the Agreement, Nationwide agreed to pay $5,500,000 to the Attorneys General. The money may be applied by the Attorneys General, in full, or in part, to any law enforcement fund with the mission of consumer protection, “. . . including future consumer protection or privacy enforcement, consumer education, or litigation . . . “

The regulators have made it clear that due to the increasing number of cyberattacks against financial firms, cybersecurity is, and will be, an exam priority for the foreseeable future. Does your firm have an adequately tailored cybersecurity policy in place? Contact us for assistance in creating or revising a cybersecurity policy for your firm, as it is imperative that investment advisers and broker-dealers take precautions to address this evolving threat.

About Red Oak Compliance Solutions

Red Oak Compliance Solutions is the global advertising review software of choice in the financial services industry. It is a comprehensive suite of SEC 17A-4 compliant features that are 100% books and records compliant and provides clients with 35% faster approvals and 70% fewer touches or better. We also offer Smart Review(SM), which solves for the storage and maintenance of disclosures, helping firms reduce risk, decrease review times, and increase the speed of distribution of marketing materials. Smart Registration(SM) automates the licensing and registration management process to help reduce regulatory risk and time spent on manual processes. Overall, Red Oak allows firms to minimize risk, reduce costs, and increase compliance review process effectiveness and efficiencies.