The company has now settled the case, having worked out an arrangement that satisfied 32 different state attorney generals and the AG from the District of Columbia. The result was a hefty $5.5 million settlement, and a pledge to update its security practices.
Under the terms of the agreement, the company has three years to accomplish the following:
1) Perform an internal assessment of its patch management practices, and hire an independent provider to perform annual audits regarding the collection and safekeeping of personal information
2) Maintain and utilize tools to monitor the security of systems used to maintain personal information
3) Conduct regular inventories of the patches and updates applied to its systems that are used to store and safeguard personal information
4) Update its policies and procedures as they relate to the storage and safekeeping of personal data
The settlement also requires Nationwide and its subsidiaries to inform consumers that it retains their personal information, even if they do not become customers of the company.
As expensive and painful as this settlement is, it’s definitely not the end of the matter. There’s still a class-action lawsuit pending, and based on the shape of this settlement, that suit is all but certain to cost the insurance giant even more money.
This is a stark example of just how painful data breaches can be. Nationwide is a big company with deep pockets, so it certainly has the resources to weather this storm. Your company may not be so lucky.