Privacy & Information Security Law Blog

On November 25, 2024, the New York Attorney General (“AG”) and New York Department of Financial Services (“NYDFS”) announced a $11.3 million settlement with the Government Employees Insurance Company (“GEICO”) and The Travelers Indemnity Company (“Travelers”) over alleged legal violations related to cybersecurity incidents.

According to the AG, beginning in 2020, hackers obtained New Yorkers’ driver’s license numbers from GEICO’s public-facing insurance quoting tools and then exploited vulnerabilities in GEICO’s insurance agent quoting tool. Personal information of the 116,000 affected New York residents was later used to file unemployment claims during the COVID-19 pandemic. The AG alleged that GEICO failed to protect consumer driver’s license numbers on its website’s backend and failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks.

The AG separately alleged that, in April 2021, hackers obtained consumers’ driver’s license numbers by using compromised agent credentials to access Travelers’ agent portal, and that Travelers did not detect the breach for more than seven months. The incident exposed the personal information of approximately 4,000 New Yorkers. In its press release, the AG indicated that although the Travelers insurance agent portal was password protected, it did not use multifactor authentication or any other compensating controls.

The AG and NYDFS alleged that GEICO and Travelers violated New York’s Executive Law, General Business Law and the New York Cybersecurity Regulation, which among other obligations, requires financial institutions to implement policies, procedures and controls to protect consumer data. As part of the settlement, GEICO will pay $9,750,000 in penalties and Travelers will pay $1,550,000 in penalties. The companies also are required to:

• Maintain a comprehensive information security program designed to protect the security, confidentiality and integrity of private information.
• Develop and maintain a data inventory of private information and ensure the information is protected by safeguards.
• Maintain reasonable authentication procedures for access to private information.
• Maintain a logging and monitoring system as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity.
• Enhance their threat response procedures.