New York State is securing more than $19 million in penalties from eight auto insurance providers for violations of the state’s cybersecurity regulation.
Department of Financial Services Superintendent Adrienne A. Harris said that inadequate cybersecurity controls allowed hackers to steal New Yorker’s personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications.
As a result of a an investigation by the state, Farmers Insurance Exchange will pay $2.775 million; Hagerty Insurance Agency will pay $1.85 million; Hartford Fire Insurance Co. will pay $3 million; Infinity Insurance Co. will pay $2.25 million; Liberty Mutual Insurance Co. will pay $2.7 million; Metromile Insurance Co. will pay $2.05 million; Midvale Indemnity Co/ will pay $2 million; and State Automobile Mutual Insurance Co. will pay $2.5 million in civil monetary penalties.
According to DFS, its investigation concluded that the auto insurance firms did not comply with DFS’s cybersecurity regulation, which requires them to implement policies, procedures, and controls to protect consumer data and their own information systems.
As a result of this failure, threat actors were able to access consumer nonpublic information, including driver’s license numbers, via public-facing web applications and agent portals that the insurance companies used to provide automobile insurance quotes to prospective customers. DFS alerted all regulated entities of these attacks in two industry letters, dated February 16, 2021 (link) and March 30, 2021 (link).
“DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers,” said Harris.
This is not the first such action regrading auto insurance quoting systems. DFS has entered into consent orders with 27 entities for violations of its cybersecurity regulation resulting in over $144 million in fines.
In addition to the failures described above, Farmers and Infinity failed to timely report their respective cybersecurity events as required, according to DFS.
Each company has also agreed to conduct remedial measures, including a review of the accessibility of consumer information stored on their information systems.
Was this article valuable?
Here are more articles you may enjoy.
Tricolor Trustee Plans to Sue Founder for Auto Dealer’s Collapse 
Pacific Northwest Braces for Even More Flooding Rain This Week 
Rare Weather Warning Issued as Strong Gusts Fuel Colorado Wildfire Threats 
Tesla Drivers Are Buying Escape Tools and Cars to Avoid Getting Trapped Inside 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.