Nationwide/Allied security breach highlights litigation fears

An insurance company data breach that exposed 1.1 million people to identity fraud exemplifies the kind of cybercrime that companies increasingly fear will land them in civil court.

The Nationwide Mutual Insurance went public on Wednesday with notification of an Oct. 3 break-in of a computer network also used by Allied Insurance. Data stolen from the insurers included names, Social Security numbers, driver's license numbers and birth dates.

Such cybercrimes have become the No. 1 worry of publicly traded U.S. companies, in terms of potential litigation and financial losses, according to a recent survey of the Chubb Group. Fully, 63 percent of the respondents said they were most concerned with losing customer or employee data through an electronic security breach.

Their worries are justified. In 2011, the typical data breach resulted in $5.5 million in organizational costs, said the Ponemon Institute. In another study, Ponemon found that of the 583 IT and IT security professionals it surveyed in the U.S., 90 percent said their employers had suffered at least one data breach.

Nationwide notified authorities shortly after discovering the breach and had confirmed on Oct. 16 that personal information had been stolen, the company said. On Nov. 2, the insurer determined the identities of people affected by the breach and started notifying victims.

The California Department of insurance was reviewing the security measures of the Nationwide/Allied Group of insurance companies to see if they were adequate to protect consumers. The breach affected more than 5,000 Californians.

"In a global economy, driven by electronic commerce, it is essential that all necessary steps are taken to ensure consumers are protected from an unintentional release or criminal theft of their personal data," Insurance Commissioner Dave Jones said in a statement.

Based on information provided by Nationwide, the Insurance Department believed the company had taken the "appropriate first steps to notify consumers." Through Equifax, the insurer was offering at no charge credit monitoring for one year and $1 million in identity theft insurance coverage.

Having notification procedures in place that follow best practices is an important step in avoiding big-payout, class-action lawsuits, which courts are more open to than in the past, said the prominent law firm Pepper Hamilton.

Over the last couple of years, courts have broadened their definition of the damages people can suffer, making companies liable for actual and future damages, since ID fraud can occur long after the initial breach.

Other steps companies can take to lessen their chances of facing a class-action suit is to have security technology that falls within best practices for businesses of their size in the same industry. In addition, companies should be prepared to show that they took all reasonable steps to prevent data theft.

"The likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty," Pepper Hamilton said in a client alert. "Class action lawsuits stemming from such incidents have upped the ante with the potential of millions of dollars of attorneys' fees if not damage recoveries."

Some experts believe civil litigation can become an effective deterrent to sloppy security at financial institutions. "In the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly -- imposing costs on those who stint their cybersecurity efforts in an unreasonable manner," Paul Rosenzweig, former assistant secretary for policy at the Department of Homeland Security, said in in a blog post at Lawfare.

[See related: Civil litigation: A better way to improve cybersecurity?]

The Nationwide/Allied breach is just the latest attack on the financial services industry. Starting in late September, a group calling itself Izz ad-Din al-Qassam Cyber Fighters launched a series of denial-of-service attacks over several weeks that affected a number of U.S. banks, including Wells Fargo, Bank of America and JPMorgan Chase.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Alliedapplicationsdata security breachesPonemon Institutesoftwaredata protectionData Protection | Data Privacynationwide

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts