New York Attorney General Letitia James filed a lawsuit Monday against Allstate’s National General unit, accusing the insurer of failing to report data breaches that exposed drivers’ license numbers of nearly 200,000 people.
Filed in Manhattan state court, the lawsuit alleges poor data security led to breaches in 2020 and 2021 where hackers targeted online insurance quoting tools. The breaches compromised license numbers of 199,000 individuals, including more than 165,000 New Yorkers. The legal action seeks civil fines of $5,000 per violation along with additional remedial measures.
According to prosecutors, National General failed to notify affected drivers or New York state agencies about the first breach, which occurred between August and November 2020. The company allegedly took three months to discover the second, more significant breach in January 2021. Notably, Allstate, based in Northbrook, Illinois, acquired National General that same month for approximately $4 billion.
“The back-to-back data breaches were remarkable in scale because the company made it easy for bad actors,” prosecutors stated in the lawsuit.
James contends that National General’s actions violated the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires companies to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information.”
Under the 2005 law, a security breach is defined as unauthorized acquisition of computerized data that compromises private information security. The SHIELD Act expanded this definition to include any access to computerized data compromising confidentiality, security, or integrity of private data.
The law covers personal information combined with Social Security numbers, driver’s license numbers, or account numbers. The SHIELD Act further expanded protection to include biometric information, usernames, email addresses, and password credentials.
The Attorney General also claims the company violated state consumer protection laws by misleading customers about its data security practices. “National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice,” James said. “It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft.”
Allstate disputes these allegations. In a statement on their website, the company defended their response: “We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed drivers’ license numbers. We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.”
Security awareness advocate at KnowBe4, Erich Kron, highlighted potential risks from notification failures. “One easy way a bad actor could use this against a customer is to contact them while pretending to be from the insurance company, then convincing them that they need to pay a bill,” he explained.
This case follows similar enforcement actions last November, when James and New York’s Department of Financial Services fined Berkshire Hathaway’s Geico unit $9.75 million and Travelers $1.55 million over alleged security lapses that compromised drivers’ personal information.
The attorney general’s office has reaffirmed its commitment to holding companies accountable for failing to protect sensitive personal information.