Nationwide reaches settlement in 2012 data breach

Register now

Nationwide Insurance has reached a settlement with more than 30 state Attorneys General stemming from a 2012 data breach.

Under the terms of the agreement, Nationwide will pay $5.5 million, split among 32 states and the District of Columbia. The company is also required to make several changes in its IT department.

Required new appointments include a Patch Policy Supervisor, who is tasked with "maintaining the process by which Nationwide/Allied's security processes as to software and application security updates and security patch management are regularly reviewed and by which revisions are made." A separate Patch Supervisor, meanwhile, will be responsible for actually installing those patches and updates.

Nationwide is also required to deploy and maintain a systems management tool that provides it with regular updates of vulnerabilities in any software within its technology organization. It also must purchase and install automated feeds of vulnerabilities for its IT and security organizations.

Finally, the company is required to bring in a third-party auditor once a year for at least the next three years to audit its patch management practices.

For reprint and licensing requests for this article, click here.