GEICO, Travelers auto insurers must pay $11.3 million in data breach penalties

STATEWIDE — TWO MAJOR AUTO INSURERS WILL HAVE TO PAY a total of $11.3 million in penalties for a data breach that resulted in hackers obtaining customers' sensitive information, as part of a settlement with New York State. Attorney General Letitia James and Adrienne A. Harris, superintendent of the State Department of Financial Services, on Monday, Nov. 25, secured $11.3 million in penalties from the Government Employees Insurance Company (GEICO) and the Travelers Indemnity Company (Travelers), for weak data security which led to the personal information of more than 120,000 New Yorkers being compromised.

These security incidents were part of an industry-wide campaign by hackers to steal consumers' personal information, including driver's license numbers and dates of birth, from online automobile insurance quoting applications, including those used by GEICO and Travelers. The hackers then used some of the stolen driver's license information to file fraudulent unemployment claims at the height of the COVID-19 pandemic. The investigation concluded that the auto insurance companies did not implement sufficient data security controls to protect consumers' private information, and they failed to comply with its cybersecurity regulation that requires them to implement policies, procedures and controls designed to protect consumer data and the financial institutions themselves.

The settlements will require GEICO to pay $9.75 million in penalties; Travelers will pay $1.55 million. The two companies must also adopt a series of measures aimed at strengthening their cybersecurity practices going forward, such as enhancing their threat response procedures. Read the full story here.

✰✰✰