On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) settled with attorneys general from 32 states for $5.5 million, in a case involving a 2012 data breach that exposed the personal information of over 1.2 million individuals. The settlement was the result of a multistate investigation into the circumstances surrounding the breach, and involved Nationwide’s failure to address a vulnerability in a third-party web application software that hackers exploited.

This case is important to your business because: 

  • In the investigation and settlement, state attorneys general signal their strong interest in the security of personal data;
  • The case highlights that breaches caused by failure to maintain the security of third party vendors particularly concern the state attorneys general;
  • The measures specified in the settlement make it clear to companies that they cannot outsource responsibility for the security of data it collects and processes; and
  • Management must commit necessary resources to overseeing and managing the security of third-party vendor. 

The Signal to Small and Medium Sized Companies

The Nationwide case raises the profile of security for smaller companies – particularly when they use third party vendors – and signals the expectations of state attorneys general regarding data protection. It is particularly important to note that the AGs cooperated in this case in a multistate investigation, and that this concern is not limited to one state or jurisdiction.

SMEs are particularly vulnerable when it comes to data security. Like Nationwide, in many cases they use third party vendors for a variety of purposes – for example, to run their website, keep track of visitors, process payments – using software that must be monitored and maintained to avoid a data breach.  The state AG case makes clear that liability for a security failure can’t be outsourced, and that responsibility lies squarely with the company – not the vendor.

The significance of this case cannot be overstated. This is a problem that every SME faces, and the fines impose for failing to address these concerns are significant. The fact that AGs cooperated in the investigation that led to this settlement highlights the scrutiny companies are under.

The Challenge for SMEs – Responsibility To Maintain Security Can’t Be Outsourced

Securing data is an ongoing challenge for companies – security threats and vulnerabilities are constantly changing, and keeping up with them – and the measures needed to address them – demands attention and resources. This is especially true for SMEs, companies that often rely on outside vendors to carry out processing and storage functions.

Data security requires constant diligence, particularly when third party vendor software is used. While most SMEs don’t give this the priority and attention it deserves, the Nationwide case is a reminder that management must commit the appropriate time and resources to security not only within the company, but also to any third-party vendor software it may run.

This responsibility can’t be outsourced – the attorneys general make clear that companies are responsible for addressing the vulnerabilities of third-party vendor software. IT departments are most often tasked with monitoring and managing security of this resource. But management cannot assume that IT departments are staying on top of this. The Nationwide case makes it clear that management must deliver the message that monitoring and maintaining security and installing patches in a timely way is of critical importance and central to the IT department function.

What Do the AGs Require of Nationwide?

In the settlement agreement, the state attorneys general required that Nationwide take specific steps to address the problems with security patches.  These include:

  • Appointing an individual responsible for managing and monitoring software and security updates and patches;
  • Maintaining an inventory of systems that process personal information and the updates and patches applied to them;
  • Setting priorities for updating security and patches;
  • Regularly reviewing and updating incident management policies and procedures;
  • Maintaining a system management tool that scans systems that process personal information for “common vulnerabilities or exposures” (“CVEs”) and provides near real-time updates regarding known CVEs;
  • Purchasing and installing an “automated CVE feed” from a third-party provider;
  • Implementing processes and procedures that provide for internal notification, evaluation and documentation of identified CVEs;
  • Performing an internal patch management assessment on a semi-annual basis that identifies known CVEs, assigns them a risk rating, confirms appropriate patches have been applied, and documents the basis for any exceptions; and
  • Hiring an independent third party to perform a patch management audit on an annual basis.

Data security does not lend itself to one-size-fits-all solution – your data security situation may vary from Nationwide’s – and the solutions required by the settlement agreement may not apply to you in all cases.

But the settlement sends an important message, that regulators require all companies to identify one person to take responsibility for security – keeping track of systems, making sure security is up-to-date and patches are applied; and keeping security policies and procedures current. It also signals that companies will be held responsible for vulnerabilities introduced by third party vendors, and must monitor software and put in place processes and procedures for overseeing security.

Security, Data Governance and Compliance

Regulator interest in ensuring the security of data about individuals is not limited to state AGs. The EU’s General Data Protection Regulation requires that companies secure personal data, and its accountability provisions make clear that organizations cannot outsource this responsibility. In the U.S., the Federal Trade Commission in its settlement agreements has made clear that companies must put in place processes and procedures to monitor and secure data about individuals.  Wherever you do business, data security should be top-of-mind for your organization.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.