Nationwide Mutual Insurance Co. agreed to a $5.5 millionsettlement over a 2012 data breach that led to the theftof more than 1 million customers' personal information, attorneysgeneral for 33 states announced Wednesday.

The settlement came after the states claimed Nationwide and asubsidiary failed to apply a critical security patch to its networkthat could have protected it from the cyberattack. Attorneysgeneral from Connecticut, Florida, New York, Pennsylvania, Texasand Washington, D.C., were among those involved with thesettlement.

Related: 5 best practices to avoid a costly databreach

Data from consumers seeking quotes

Hackers were able to gain access to Social Security numbers,driver's license numbers, credit scoring information and otherpersonal data the company collected on consumers seeking quotes,according to New York Attorney General Eric Schneiderman's office.Many of the victims were not ultimately insured by Nationwide.

As part of the settlement, the insurance company agreed to bemore transparent about its data collection policy for those thatdon't become customers, Schneiderman's office said.

"This settlement should serve as a reminder that companies havea responsibility to protect consumers' personal informationregardless of whether or not those consumers become customers. Wewill hold companies to account if they don't," Schneiderman said ina statement, noting that nearly 3,000 New Yorkers were among thevictims.

Agreed to improve internal security practices

As part of the agreement, Nationwide will improve its internalsecurity practices, according to the AGs. The company also agreedto more regularly apply security updates, and to hire a technologyofficer responsible for monitoring application and softwaresecurity.

Connecticut Attorney General George Jepsen noted state law"requires that anyone in possession of another person's personalinformation safeguard that data." Nearly 1,000 Connecticutresidents were affected by the breach.

Related: No business is totally safe from cyberattacks

In the wake of the breach, Nationwide provided free creditmonitoring and identity theft protection to those impacted, inaddition to fraud expense coverage up to $1 million and access tocredit reports, the AGs noted.

"Consumers in the district and across the nation entrust theirpersonal information to retailers every day," D.C. Attorney GeneralKarl Racine said in a statement. "Data breaches open the door toidentity theft, which can have real and devastating consequencesfor hard-working people, and we hope today's settlement remindsretailers that they have a responsibility to do everything they canto protect consumers' private information."

'Protecting consumer data is something that we takeseriously'

In a statement, Nationwide spokesman Eric Hardgrove said thecompany was "pleased" with the settlement over the data breachcaused by "a sophisticated, criminal attack" that the company "tookimmediate steps to successfully contain." The settlement itself"does not include any allegations that we violated data securitylaws" as the insurance company does not believe any such laws wereviolated.

Related: 5 cybersecurity problems facing mid-size insurancecompanies

"The decision to enter into a settlement agreement reflects ourdesire to continue our strong cybersecurity program and toconcentrate on our core business operations," Hardgrove said."Protecting consumer data is something that we take seriously. Webelieve a private/public partnership would be the best approach tocombat cyberattacks on U.S. companies, and we are pleasedNationwide is at the forefront of this approach."

B. Colby Hamilton is a New York-based financial andwhite-collar litigation reporter for the New York Law Journal andLaw.com. Contact Colby at [email protected]. OnTwitter: @bcolbyhamilton.