These days, running an insecure system can leave your company facing much worse consequences than an offline website. You could face lawsuits. A recent article on a security breach at a large insurance company brings that issue into focus. Keep reading to see how Nationwide is trying to do the right thing.
Anthony Gonsalves covered the Nationwide Mutual Insurance company story for CSO Online. The insurance firm admitted that it suffered a security breach on October 3 in which hackers stole data on more than one million of their customers. The data stolen included names, Social Security numbers, driver's license numbers, and birth dates. In other words, it was prime material for committing identity theft.
This kind of cybercrime represents a huge concern for any company that holds personally identifiable data in databases – or in other words, just about any company. Securing your customers' and employees' as well as you can is the right thing to do. Even if it weren't, this kind of security breach is expensive: in goodwill lost, in customers lost, and in potential lawsuits.
Yes, I said lawsuits. Another piece by Gonsalves reported that courts in the United States began accepting a wider view of damages suffered from security breaches. In fact, he notes that “Judges...are awarding class-action status to lawsuits that can show actual damages or a real possibility of future damages.” This change in attitude “would make companies liable for steps taken to prevent financial harm, such as insurance to cover the costs associated with identity theft.”
Nationwide seems to be trying to do the right thing. After discovering the attack on the day it was instigated – October 3 – it launched an investigation. As the company explained in a statement on its website, it determined on October 16 that the perpetrator of the attack had likely stolen some data from their system. Once they confirmed the identities attached to the data, and that it was personally sensitive data, Nationwide began contacting those affected by the breach; this began November 2. Additionally, “We promptly reported this criminal attach to law enforcement authorities, who are actively investigating the incident,” Nationwide stated. “A third-party expert was retained to analyze the impacted data and worked with us to identify specifically whose personal information was compromised as quickly as possible.”
So what's next? Nationwide is not only acting with transparency; it's trying to do its best by its customers. As Gonsalves notes, “Through Equifax, the insurer was offering at no charge credit monitoring for one year and $1 million in identity theft insurance coverage.” This offering should help relief some of the initial panic from individuals notified that their personal data has been stolen. They'll need to enroll in the program, of course, but Nationwide is offering it to them for free – which is only right, since it's the insurance company's security that was breached.
If you don't yet have a plan in place in case your company's data is compromised, or the personal data of your employees or customers is stolen, you need to work on that. No organization is immune to this kind of attack.