New York State Department of Financial Services secures more than USD 19 million in penalties from eight auto insurers for cybersecurity regulation violations

The New York State Department of Financial Services has entered into settlements with eight auto insurance companies, securing more than USD 19 million in civil monetary penalties for violations of its cybersecurity regulation following data breaches involving online automobile insurance quoting applications. DFS found that inadequate cybersecurity controls enabled threat actors to access and steal New Yorkers’ personal data, including driver’s license numbers and dates of birth. Penalties were assessed against Farmers Insurance Exchange (USD 2.775 million), Hagerty Insurance Agency, LLC (USD 1.85 million), Hartford Fire Insurance Company (USD 3 million), Infinity Insurance Company (USD 2.25 million), Liberty Mutual Insurance Company (USD 2.7 million), Metromile Insurance Company (USD 2.05 million), Midvale Indemnity Company (USD 2 million), and State Automobile Mutual Insurance Company (USD 2.5 million). The investigation, coordinated with the Office of the New York State Attorney General, concluded that the firms did not implement required policies, procedures, and controls to protect consumer nonpublic information (NPI) and information systems, leaving NPI accessible via public-facing web applications and agent portals used for quoting, and Farmers and Infinity also failed to timely report their respective cybersecurity events. Each company agreed to remedial measures, including a comprehensive review of the accessibility of consumer NPI across its systems, and DFS said its investigations into the breaches remain ongoing.