Breach notification done right? (Nationwide hack, updated)
I spend a lot of time criticizing breach notifications, so it’s nice when I can occasionally point to a positive example.
Without considering whether the breach could have been prevented, consider this notification letter from Nationwide Insurance, dated November 16:
We want to make you aware that a portion of our computer network was criminally attacked and we believe that the attack compromised some of your information. We are very sorry that this situation has occurred. Protecting the privacy and security of your information is a top priority for us, and we want to assure you that we have taken steps that will prevent this type of attack from happening again. Although we are not aware of any misuse of your information at this time, we want to inform you about the situation and encourage you to take the steps below, including taking advantage of the credit monitoring and identity theft protection product we are providing to you at no charge.
On October 3, 2012, a portion of our computer network that is used by Nationwide Insurance agents and Allied Insurance agents was criminally intruded upon by an unidentified criminal perpetrator. We discovered the attack that day, and took immediate steps to contain the intrusion. We believe that we successfully contained the attack through our responsive actions.
We promptly initiated an investigation of the attack and on October 16, 2012, we determined that the criminal perpetrator had likely stolen some personal information from our systems. On November 2, 2012, we received confirmation of the identities and addresses of the individuals whose personal information we believe was compromised. Although we are still investigating the incident, our initial analysis has indicated that the compromised information included your name and [Social Security number, driver’s license number, date of birth] and possibly your marital status, gender, and occupation, and the name and address of your employer. At this time, we have no evidence that any medical information or credit card account information was stolen in the attack.
You can read the full letter on the California AG site.
I realize that there are some states where notification 6 weeks after the discovery of the incident would violate a timeliness provision in reporting, but overall, they detected the breach quickly, secured it quickly, and within one month, were able to construct a list of affected individuals. Could they have gotten the actual letter out faster than two weeks from confirmation of identities and addresses? Probably, but overall, I’m favorably impressed. Your mileage may vary.
Also, for those of you who cannot understand how/why Nationwide had all your information, the California Department of Insurance is investigating the breach. At the bottom of their notice they add:
Media Note: The Nationwide affiliates affected in California by the breach include: Nationwide Mutual Insurance Company, Nationwide Insurance Company of America, Allied Property & Casualty Insurance Company, AMCO Insurance Company, Depositors Insurance Company, & Titan Indemnity Company.
Nationwide has also created a web site about the breach.
If you are not satisfied with the response you get, you might try contacting the Dept. of Insurance and tell them your concerns.