NY AG and NYDFS Announce $11.3 Million Data Breach Settlement with GEICO and Travelers
Wednesday, December 11, 2024
Print Mail Download info_icon_img/>i

On November 25, 2024, the New York Attorney General (“AG”) and New York Department of Financial Services (“NYDFS”) announced a $11.3 million settlement with the Government Employees Insurance Company (“GEICO”) and The Travelers Indemnity Company (“Travelers”) over alleged legal violations related to cybersecurity incidents.

According to the AG, beginning in 2020, hackers obtained New Yorkers’ driver’s license numbers from GEICO’s public-facing insurance quoting tools and then exploited vulnerabilities in GEICO’s insurance agent quoting tool. Personal information of the 116,000 affected New York residents was later used to file unemployment claims during the COVID-19 pandemic. The AG alleged that GEICO failed to protect consumer driver’s license numbers on its website’s backend and failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks.

The AG separately alleged that, in April 2021, hackers obtained consumers’ driver’s license numbers by using compromised agent credentials to access Travelers’ agent portal, and that Travelers did not detect the breach for more than seven months. The incident exposed the personal information of approximately 4,000 New Yorkers. In its press release, the AG indicated that although the Travelers insurance agent portal was password protected, it did not use multifactor authentication or any other compensating controls.

The AG and NYDFS alleged that GEICO and Travelers violated New York’s Executive Law, General Business Law and the New York Cybersecurity Regulation, which among other obligations, requires financial institutions to implement policies, procedures and controls to protect consumer data. As part of the settlement, GEICO will pay $9,750,000 in penalties and Travelers will pay $1,550,000 in penalties. The companies also are required to:

  • Maintain a comprehensive information security program designed to protect the security, confidentiality and integrity of private information.
  • Develop and maintain a data inventory of private information and ensure the information is protected by safeguards.
  • Maintain reasonable authentication procedures for access to private information.
  • Maintain a logging and monitoring system as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity.
  • Enhance their threat response procedures.
Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Public Notices

Post Your Public Notice Today!

Free Guide: Using AI & State Court Data to Automate Litigation Tasks.

Discover how Trellis AI helps litigators evaluate cases, automate brief drafting, suggest winning strategies, and more. Click this link to request the Trellis AI Guide.

Published: 5 December, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: NUEVO GATEWAY, LLC and PTA DEVELOPMENT LLC
Published: 9 December, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: E-Lux Bikes LLC
Published: 9 December, 2024
PUBLIC NOTICE OF UCC SALE: Gaming Society
Published: 6 December, 2024
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: TrueNorth Projects, LLC
Published: 21 November, 2024
PUBLIC NOTICE OF DISPOSITION OF COLLATERAL: BCL CALIFORNIA LLC
Published: 18 November, 2024
PUBLIC NOTICE OF UCC SALE: Sheridan & Wilson, LLC
Published: 29 October, 2024
PUBLIC NOTICE OF UCC SALE: Prime Finance Short Duration Holding Company VII, LLC
Published: 18 September, 2024
Discover more public notices

Current Legal Analysis

More from Hunton Andrews Kurth

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins