AG Brnovich Announces $5.5 Million Settlement with Nationwide Insurance after Data Breach

PHOENIX – Attorney General Mark Brnovich announced his office, along with the Attorneys General of 31 other states and the District of Columbia, reached a settlement with Nationwide Mutual Insurance Company (“Nationwide”), after a data breach in October 2012. Cybercriminals hacked into Nationwide’s systems and stole the personal information of 1.27 million consumers. The information exposed included consumers’ social security numbers, driver’s license numbers, and credit scoring information. It is alleged the data breach was caused by Nationwide’s failure to apply a critical security patch prior to the incident.

"It's vital that companies take every security precaution to protect consumers' personal information from cybercriminals and hackers," said Attorney General Mark Brnovich.

The settlement requires Nationwide, and its subsidiary, Allied Property & Casualty Insurance Company, to take steps to update and strengthen its security practices and security software.  Nationwide must also hire a technology officer responsible for monitoring software and security updates.

Additionally, Nationwide agreed to take the following data security steps over the next three years:

  • Updating its procedures and policies relating to the maintenance and storage of consumers’ personal data.
  • Conducting regular inventories of the patches and updates applied to its systems used to maintain consumers’ personal information (“PII”).
  • Maintaining and utilizing system tools to monitor the health and security of its systems used to maintain PII.
  • Performing internal assessments of its patch management practices and hiring an outside, independent provider to perform an annual audit of its practices regarding the collection and maintenance of PII.

Many of those affected never became Nationwide’s customers, but the company kept their data in order to easily provide requotes at a later date.  The settlement requires Nationwide to be more transparent about its data collection practices by requiring it to disclose that it retains consumers’ personal information even if they do not become customers.

Approximately 45,237 Arizonans were impacted by this breach. Arizona will receive $264,248.62 of the $5.5 million settlement. Arizona was joined in the settlement by the Attorneys General of Alaska, Arkansas, Connecticut, Florida, Hawaii, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, and the District of Columbia.

This matter was handled by Assistant Attorney General Taren Ellis Langford.

If you believe you have been the victim of consumer fraud, please contact the Attorney General’s Office in Phoenix at (602) 542-5763, in Tucson at (520) 628-6504, or outside the metro areas at (800) 352-8431. Bilingual consumer protection staff is available to assist. Consumers can also file complaints online by visiting the Attorney General’s website at