$11.3 Million Penalty for GEICO and Travelers Over Data Breaches
New York's cybersecurity regulations continue to make waves with their aggressive enforcement, and the latest case is a clear reminder that data security is no longer optional for financial institutions and companies handling personal data. On November 25, 2024, the New York Attorney General’s office and the Department of Financial Services (“NYDFS”) announced a hefty $11.3 million penalty against GEICO and Travelers for inadequate data security that exposed the sensitive information of over 120,000 New Yorkers.
The breach was part of a larger cyberattack campaign aimed at stealing personal data, including driver’s license numbers and dates of birth, from online auto insurance quoting tools. Hackers exploited these vulnerabilities to file fraudulent unemployment claims during the height of the COVID-19 pandemic. Both GEICO and Travelers failed to implement adequate security measures to protect this sensitive data, leaving it vulnerable to cybercriminals.
For GEICO, the breach began in 2020 when hackers accessed driver’s license numbers through the company's auto insurance quoting tools. Despite being aware of an industry-wide attack targeting similar data, GEICO failed to conduct a thorough review of its systems to prevent future breaches. The personal data of over 116,000 New Yorkers was exposed. Similarly, Travelers’ breach resulted from compromised agent credentials, which allowed hackers to access driver’s license numbers stored in the company’s portal. Travelers didn’t detect the breach for over seven months, leaving personal information of approximately 4,000 individuals at risk.
In addition to the financial penalties, GEICO and Travelers have agreed to implement a number of corrective measures to enhance their cybersecurity practices moving forward. This includes maintaining comprehensive information security programs, improving authentication procedures, better protecting nonpublic personal information (“NPI”), and strengthening their data breach response procedures.
These penalties highlight how crucial it is for insurance companies, and any business handling sensitive customer data, to comply with New York’s cybersecurity regulations. The NYDFS Cybersecurity Regulation (23 NYCRR 500), which has been in effect since 2017, lays down clear requirements for companies to protect their systems and customer data. Amendments made to the regulation in 2023 introduced stricter rules regarding access control, password policies, and breach detection, ensuring that businesses can no longer afford to be lax with their data security efforts.
For businesses that may still be lagging in their cybersecurity practices, these penalties should be a reminder that the NYDFS is committed to holding companies accountable for any lapses in security that lead to data breaches. And given the broader trend toward heightened enforcement across the country, businesses in all industries must act now to ensure they’re up to date with both state and federal cybersecurity requirements.
Businesses should prioritize strengthening their cybersecurity posture by conducting thorough system reviews and implementing up-to-date security measures. This includes training personnel on cybersecurity best practices, ensuring robust access controls, and staying proactive with incident response plans. The penalties levied against GEICO and Travelers underscore the importance of adhering to regulations, so it's essential to stay compliant with current laws to avoid penalties, mitigate data breach risks, and protect your reputation in an increasingly cyber-aware world.
© 2024 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.