Several other insurers have been issued penalties by the state of New York in the wake of this wide-reaching data breach, including GEICO, Travelers and Noblr. (Credit: New Africa/Adobe Stock)

Auto insurance company Root must pay $975,000 in penalties by order of New York Attorney Letitia James for failing to protect the information of around 45,000 New Yorkers during a data breach.

Root does not actually write auto policies in New York, but their online quoting tool allegedly allowed bad actors access to the driver’s license numbers, Social Security numbers and other private information of drivers in the state. This breach was part of an industry-wide information grab in which data thieves used stolen driver information to file fraudulent unemployment claims during the COVID-19 pandemic.

“When companies have poor data security practices, they put individuals at risk of identity theft and other fraud,” James said in a release. “Auto insurance companies need to make sure that the systems they use to store people’s data are protected to prevent cybercriminals from stealing driver’s license numbers, Social Security numbers, and other private information. Today’s settlement should send a message to companies in the auto insurance industry that my office will take action to protect New Yorkers' private information.”

According to the Attorney General, Root’s online quoting tool would pre-fill private information like driver’s license numbers for anyone who entered a name and address for a quote.

In addition to the fine, Root must enhance its data security by:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
  • Developing and maintaining a data inventory of private information and ensuring such information is protected by reasonable safeguards;
  • Maintaining reasonable authentication procedures for access to private information; and
  • Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure the system to alert of suspicious activity.
Several other auto insurers have been issued penalties by the state of New York in the wake of this wide-reaching data breach, including GEICO, Travelers and Noblr. The state also recently filed suit against Allstate Insurance, alleging the insurer didn’t adequately protect the data of nearly 200,000 people that was exposed by their online quoting tool.

NOT FOR REPRINT

© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.