On November 25, NYDFS announced settlements with two auto insurance companies for inadequate data security that compromised the personal information of over 120,000 New York consumers and secured $11.3 million in total penalties. According to NYDFS, hackers exploited vulnerabilities in the companies’ online insurance applications to steal personal information, including driver’s license numbers, which were then used for fraudulent unemployment claims during the Covid-19 pandemic. Investigations revealed that the companies failed to implement sufficient data security controls and did not comply with NYDFS’s cybersecurity regulations. One company entered a consent order to pay $9.75 million and the other a consent order to pay $1.55 million in penalties.

The breaches occurred between November 2020 and April 2021, exposing the personal information of over 120,000 New Yorkers. The companies were criticized for not conducting comprehensive reviews of their systems despite being aware of the cyberattack risks. The settlements required the companies to enhance their cybersecurity measures, including maintaining comprehensive information security programs, developing data inventories, implementing reasonable authentication procedures, and improving logging and monitoring systems. Additionally, one company agreed to conduct a cybersecurity risk assessment and penetration testing, while the other will review its systems and improve protections against unauthorized access to nonpublic personal information.