(Credit: Alex/Adobe Stock)

Auto insurance companies GEICO and The Travelers Indemnity Co. agreed to pay a combined $11.3 million in state penalties for data-security breaches that resulted in a compromise of more than 120,000 New Yorkers’ personal information, multiple state agencies said on Monday.

GEICO—the Government Employees Insurance Company—will pay $9.75 million in penalties and Travelers will pay $1.55 million, said New York Attorney General Letitia James and Department of Financial Services Superintendent Adrienne A. Harris, whose offices joined the state Department of Labor in the multi-agency probe.

James’ office concluded that the companies did not implement sufficient data security controls to protect consumers’ private information, while DFS’ investigation concluded that they didn’t comply with DFS’ cybersecurity regulation that requires them to implement policies, procedures and controls designed to protect consumer data and the financial institutions themselves.

The security breaches were part of an industry-wide campaign by hackers to steal consumers’ driver’s license numbers and dates of birth from online automobile insurance quoting applications in order to file fraudulent unemployment claims during the height of the COVID-19 pandemic, the agencies said.

The personal information of approximately 116,000 New York residents was exposed in the GEICO cyberattacks, with the vast majority being lifted from GEICO’s insurance agents’ quoting tool, while the Travelers attack exposed the personal information of about 4,000 residents.

In addition to the monetary penalties, both companies agreed to significantly enhance their security.

The companies’ settlement agreement with James’ office requires that they maintain a comprehensive information security program to protect the security, confidentiality and integrity of private information; develop and maintain a data inventory of private information; and ensure the information is protected by safeguards, among other enhancements.

GEICO's settlement agreement with DFS requires that it conduct remedial measures, including a comprehensive cybersecurity risk assessment and penetration testing, and develop an action plan to address any resulting concerns.

Travelers' agreement with DFS requires that it review its systems, assess controls and improve protections against unauthorized access to nonpublic personal information.

James' office secured $4.75 million from GEICO, while DFS secured $5 million. The AG's office and Harris' office secured $350,000 and $1.2 million from Travelers, respectively.

Related:

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Brian Lee

Brian Lee is an Albany-based litigation reporter for the New York Law Journal. He has worked at daily newspapers in Massachusetts, New York and New Jersey. He can be reached at [email protected]. Twitter: @bleereporter