Client Alert: Failure to Patch Results in $5.5M InfoSec Settlement for Nationwide... and a Required, Significant Patch Management Program
Periodically, state regulators provide some insight into their information security expectations; businesses would be smart to take note of them. These same requirements are not always found in applicable laws, meaning that if your information security efforts are too-heavily aimed at compliance with regulation but do not sufficiently account for risk, you will strike the wrong balance. Take, for example, recent news that Nationwide Mutual Insurance Co. will pay $5.5M to resolve claims by 32 states and the District of Columbia that its failure to implement a critical security patch issued by a third party software provider constituted a violation of multiple consumer protection and data security laws in those states (refer to the settlement appendix for more on these laws).
Clearly no one wants to cough up $5.5M to settle an InfoSec action so the payment is grabbing headlines. Interestingly, the settlement also requires Nationwide to implement a fairly significant patch management program, complete with at least two assigned, responsible personnel positions. A “Patch Policy Supervisor” must be designated as responsible for patch management and software and application security updates. In addition, a “Patch Supervisor” will be required to monitor and manage software and application security updates and patch management; supervise, evaluate and coordinate application of “all” security patches and updates; and supervise, evaluate, and coordinate system management tools also required by the settlement. Keep your eyes open for those choice job postings...
Nationwide is required to maintain and update at least semi-annually an inventory of all covered systems, including the system name and version with a list of all patches applied in that timeframe. Nationwide is further required to assign a priority level and schedule related to updates that it decides to pursue based on risk levels identified “by software and application providers” (so the third party issuers' risk designations have to be a factor. Nationwide cannot merely decide priorities based on its own discretion).
And that's not all. Among the other surprisingly granular requirements Nationwide agreed to implement:
- Deploy a “system management tool (or contract with a vendor)” to provide “near real-time updates” for application security updates and patches, discover covered systems that may be at risk for common vulnerabilities and security incidents, and scan covered systems for common vulnerabilities (!!)
- Implement a process so that responsible teams can be notified of common vulnerabilities
- Assign risk severities for each common vulnerability identified along with mitigation or exception actions taken in response
- Purchase and install intrusion detection and intrusion protection systems
- Purchase and install “an automated [common vulnerability] feed from a solution provider” that supplements Nationwide's security information and event management (SIEM) technology
- Perform patch management assessments at least semi-annually
- Hire an outside independent provider to perform a patch management audit at least annually
- Submit to the 33 Attorneys General who pursued this action a compliance certification assuring that all requirements have been implemented, and provide said AGs with access to all policies, inventories, assessments and audits required by the settlement (which documents the AGs agree to treat as exempt from public records law).
Most security pros know that security patch management is critical to strong security. Most also would be excited to find an organization implementing a program like the one described in the settlement (obviously less excited to implement it themselves as a legal requirement with government oversight...). However, it's much less common to find that compliance professionals or legal teams have security risks like patch management on their own punch lists because such activity simply is not required by the letter of most laws. These compliance and legal pros need to partner with InfoSec to expand their horizons, because a failure of risk management can and does generate legal charges and compliance risks that should be on their radar. One need only consider the continued strong trend of HIPAA enforcement to confirm this supposition: The U.S. DHHS Office for Civil Rights has repeatedly, consistently penalized HIPAA covered entities and business associates for failure to generate or respond to risk analyses.
Speaking of horizons...A recent-past example of a state enforcing based on failure to manage security risk came to use from Horizon Blue Cross Blue Shield of New Jersey, which paid $1.1M to settle charges arising from its failure to implement encryption. That failure was attributed to "shadow IT," the phenomenon by which business teams decide to implement their own tech systems outside the purview of their InfoSec teams. Here again, if compliance and legal professionals are not including this risk in their calculations and advice about information security, their efforts on behalf of clients will be incomplete. Read more about the Horizon action here.
The granularity of this settlement is unique, but its focus on managing security risk as a legal requirement is not. Business should incorporate risk into compliance efforts and recognize legal impacts, not only security impacts, associated with these issues in order to develop a fulsome approach to data security and compliance.