Insurance Companies Face $11.3 Million in Fines Due to Cybersecurity Failures
November 27, 2024
In yet another example of the importance of a robust cybersecurity and data protection system, New York Attorney General (OAG) and the New York State Department of Financial Services (DFS) collectively fined the insurance companies GEICO and Travelers Indemnity Company $11.3 million due to a series of data breaches that accessed customer data.
Beginning in late 2020, threat actors accessed customer nonpublic information such as driver’s license numbers, dates of birth and vehicle information as part of an industry-wide campaign coordinated by hackers. According to OAG, the personal information of more than 120,000 New Yorkers was compromised. In addition to the monetary penalties, the two insurance companies will have to develop approved action plans to improve their data security systems.
In January 2021, DFS sent an alert to several regulated insurance entities, including GEICO and Travelers, stating that it had received reports that cybercriminals were conducting a widespread campaign to steal data from insurance company websites using online auto insurance quoting tools. The alert directed the companies to immediately review customer-facing website security. GEICO experienced two data breaches that month.
The GEICO Breaches
GEICO reported a cybersecurity event to DFS in late January 2021 in which threat actors extracted customer driver’s license numbers through GEICO’s customer-facing online insurance quote tool. Shortly thereafter, DFS issued its industry-wide warning regarding such instant-quote tools. GEICO then reported a second cybersecurity incident in which threat actors accessed additional customer nonpublic information.
Despite the warning from DFS and those two data breaches, DFS states that GEICO failed to conduct a comprehensive review of its data security systems to prevent future cyberattacks. As a result, GEICO reported a third cybersecurity event to DFS in March 2021. In total, the personal information of approximately 116,000 New Yorkers was exposed in the GEICO cyberattacks, with the vast majority lifted from GEICO’s online quoting tool. Some of the exposed data was later used to file unemployment claims.
The Travelers Breach
Travelers similarly experienced a cyberattack through the auto insurance quoting tool used by its independent agents. In April 2021, hackers gained access to Travelers’ agent portal by using compromised agent credentials, which gave the hackers access to customer driver’s license numbers, including the information of approximately 4,000 New York residents. According to DFS, the insurance agent portal was password protected but did not use multifactor authentication.
Penalties
After investigation, DFS determined that both companies were noncompliant with the cybersecurity requirements set forth in 23 NYCRR Part 500. In agreements with OAG and DFS, GEICO and Travelers agreed to improve their respective data security systems and pay monetary penalties. GEICO will pay $9.75 million in penalties while Travelers will pay $1.55 million.
The settlement agreements require the insurance companies to adopt new measures to improve their cybersecurity practices. These measures include:
- Developing and maintaining a data inventory of private information and ensuring the information is protected by safeguards;
- Maintaining reasonable authentication procedures for access to private information;
- Maintaining a logging and monitoring system as well as reasonable policies and procedures designed to properly configure such system to alert on suspicious activity; and
- Enhancing their threat response procedures.
In addition, GEICO is required to conduct a risk assessment and develop an action plan, approved by DFS, to address risk areas. Travelers is separately required to perform an internal review of all of its information systems and similarly develop a DFS-approved action plan to address identified risks.
Bond attorneys regularly assist and advise clients on drafting data privacy and cybersecurity policies. For more information regarding data privacy matters, please contact Jessica Copeland, CIPP/US, or any attorney in Bond’s cybersecurity and data privacy practice.
