New York State is securing more than $19 million in penalties from eight auto insurance providers for violations of the state’s cybersecurity regulation.
Department of Financial Services (DFS) Superintendent Adrienne A. Harris said that inadequate cybersecurity controls allowed hackers to steal New Yorker’s personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications.
As a result of a an investigation by the state, Farmers Insurance Exchange will pay $2.775 million; Hagerty Insurance Agency will pay $1.85 million; Hartford Fire Insurance Co. will pay $3 million; Infinity Insurance Co. will pay $2.25 million; Liberty Mutual Insurance Co. will pay $2.7 million; Metromile Insurance Co. will pay $2.05 million; Midvale Indemnity Co/ will pay $2 million; and State Automobile Mutual Insurance Co. will pay $2.5 million in civil monetary penalties.
According to DFS, its investigation concluded that the auto insurance firms did not comply with DFS’s cybersecurity regulation, which requires them to implement policies, procedures, and controls to protect consumer data and their own information systems.
As a result of this failure, threat actors were able to access consumer nonpublic information, including driver’s license numbers, via public-facing web applications and agent portals that the insurance companies used to provide automobile insurance quotes to prospective customers. DFS alerted all regulated entities of these attacks in two industry letters, dated February 16, 2021 (link) and March 30, 2021 (link).
“DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers,” said Harris.
This is not the first such action regrading auto insurance quoting systems. DFS has entered into consent orders with 27 entities for violations of its cybersecurity regulation resulting in over $144 million in fines.
In addition to the failures described above, Farmers and Infinity failed to timely report their respective cybersecurity events as required, according to DFS.
Each company has also agreed to conduct remedial measures, including a review of the accessibility of consumer information stored on their information systems.
Topics Auto Data Driven New York
Was this article valuable?
Here are more articles you may enjoy.
Argentina Soccer Match Pulled From Chicago Amid Troop Tension 
US Probes Driver Assistance Software in 2.9 Million Tesla Vehicles Over Traffic Violations 
High Demand for Gen AI Insurance; Buyers Say They’ll Pay More: Report 
La Niña’s Back, but Will It Amp Up Hurricane Season? 
