Nationwide’s data breach should prompt agents to review their own security practices.
Nationwide Mutual Insurance Co. and its subsidiary Allied Property & Casualty Insurance Co. have agreed to pay $5.5 million to 33 states to settle a 2012 data breach that exposed the personal information of 1.27 million people. The compromised data included dates of birth, Social Security numbers, driver’s licence numbers, and Nationwide’s internal credit scores.
Consumers provided the information while trying to get quotes from Nationwide. In many instances, those affected ultimately didn’t even purchase a policy from the company. Nevertheless, New York Attorney General Eric Schneiderman, one of the state AGs involved in the settlement, said that “companies have a responsibility to protect consumers' personal information regardless of whether or not those consumers become customers.”
Here’s What Happened
The states’ AGs claimed Nationwide failed to install a needed security patch within its web application-hosting software that would have thwarted the cyber intrusion. Once the insurer detected the breach, it took “immediate steps” to halt the attack, Nationwide spokesman Eric Hardgrove said in a statement.
According to the agreement, Nationwide applied a previously unused security patch to contain the breach the day it occurred. Hardgrove further noted that the agreement doesn’t state that the insurer broke any data security laws.
As part of the settlement, Nationwide agreed to upgrade and regularly monitor its security systems and patch management and hire an IT executive to oversee those functions. The insurer will also update its policies and procedures on maintaining and storing consumers’ personal data. For consumers and customers affected by the attack, Nationwide offered free credit monitoring for a year and identify fraud protection of up to $1 million.
USA Today reported that the data breach also prompted two class action lawsuits. A federal district court in Ohio initially dismissed the cases after combining them, arguing that the plaintiffs failed to prove legal standing. Last September, a federal appeals court partially reversed that decision and returned the lawsuits to the lower court for further review.
What Insurance Agents Can Do to Protect Their Data
While large-scale ransomware attacks tend to attract headlines, hackers don’t always set their sights on major corporations. Independent insurance agents should also take measures to protect their clients’ personal information from costly identify theft. The following tips can help you keep your clients’ data safe and private:
Encrypt your data: You can either encrypt a file on your hard drive or encrypt the entire hard drive, sealing your information in a password-protected database. Programs like BitLocker are included with most operating systems, while are others are available for free online.
Keep your software updated: Update security patches on a weekly basis, invest in a strong firewall, and install a malware protection program and anti-virus software.
Use long and creative passwords: This is the first rule of IT security, but it bears repeating. Create passwords of at least eight characters, including some combination of uppercase and lowercase letters, symbols, and numbers. Never use your agency’s complete name, and change passwords frequently to thwart hackers.
Restrict user access: Not everyone in your agency needs access to all client data. Limit user permissions to what information employees need to do their jobs effectively. You should also tell employees not to share their passwords with anyone inside or outside the agency.
Use safeguards when sending data: Insurance agents frequently send sensitive policy information over the Internet. Whenever you send private client data from your server, make sure that your email network is encrypted and secure.
As the head of an agency, it’s up to you to develop a security plan to defend your clients’ private data. Your clients’ privacy and financial well-being depend on it, along with your agency’s reputation.