Nationwide/Allied security breach highlights litigation fears

An insurance company data breach that exposed 1.1 million people to identity fraud exemplifies the kind of cybercrime that companies increasingly fear will land them in civil court.

The Nationwide Mutual Insurance went public on Wednesday with notification of an Oct. 3 break-in of a computer network also used by Allied Insurance. Data stolen from the insurers included names, Social Security numbers, driver's license numbers and birth dates.

Such cybercrimes have become the No. 1 worry of publicly traded U.S. companies, in terms of potential litigation and financial losses, according to a recent survey of the Chubb Group. Fully, 63 percent of the respondents said they were most concerned with losing customer or employee data through an electronic security breach.

Their worries are justified. In 2011, the typical data breach resulted in $5.5 million in organizational costs, said the Ponemon Institute. In another study, Ponemon found that of the 583 IT and IT security professionals it surveyed in the U.S., 90 percent said their employers had suffered at least one data breach.

Nationwide notified authorities shortly after discovering the breach and had confirmed on Oct. 16 that personal information had been stolen, the company said. On Nov. 2, the insurer determined the identities of people affected by the breach and started notifying victims.

The California Department of insurance was reviewing the security measures of the Nationwide/Allied Group of insurance companies to see if they were adequate to protect consumers. The breach affected more than 5,000 Californians.

"In a global economy, driven by electronic commerce, it is essential that all necessary steps are taken to ensure consumers are protected from an unintentional release or criminal theft of their personal data," Insurance Commissioner Dave Jones said in a statement.

Based on information provided by Nationwide, the Insurance Department believed the company had taken the "appropriate first steps to notify consumers." Through Equifax, the insurer was offering at no charge credit monitoring for one year and $1 million in identity theft insurance coverage.

Having notification procedures in place that follow best practices is an important step in avoiding big-payout, class-action lawsuits, which courts are more open to than in the past, said the prominent law firm Pepper Hamilton.

Over the last couple of years, courts have broadened their definition of the damages people can suffer, making companies liable for actual and future damages, since ID fraud can occur long after the initial breach.

Other steps companies can take to lessen their chances of facing a class-action suit is to have security technology that falls within best practices for businesses of their size in the same industry. In addition, companies should be prepared to show that they took all reasonable steps to prevent data theft.

"The likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty," Pepper Hamilton said in a client alert. "Class action lawsuits stemming from such incidents have upped the ante with the potential of millions of dollars of attorneys' fees if not damage recoveries."

Some experts believe civil litigation can become an effective deterrent to sloppy security at financial institutions. "In the long run, a civil tort/contract liability system will develop that will work more effectively and flexibly -- imposing costs on those who stint their cybersecurity efforts in an unreasonable manner," Paul Rosenzweig, former assistant secretary for policy at the Department of Homeland Security, said in in a blog post at Lawfare.

[See related: Civil litigation: A better way to improve cybersecurity?]

The Nationwide/Allied breach is just the latest attack on the financial services industry. Starting in late September, a group calling itself Izz ad-Din al-Qassam Cyber Fighters launched a series of denial-of-service attacks over several weeks that affected a number of U.S. banks, including Wells Fargo, Bank of America and JPMorgan Chase.

Read more about data privacy in CSOonline's Data Privacy section.

Tags: Allied, applications, data security breaches, software, Ponemon Institute, data protection, nationwide, Data Protection | Data Privacy

Google introduces Chrome 'factory reset' pop-ups to tackle extensions hijacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Identity & Security Management

Identity and Security Management

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.