On October 14, both the New York Office of the Attorney General (OAG) and NYDFS announced settlements totaling more than $19 million with eight auto insurance companies following a joint investigation into data breaches that purportedly exposed the personal information of hundreds of thousands of New York State residents. Investigators determined the companies failed to implement adequate “cybersecurity controls,” allowing threat actors to access nonpublic information (NPI), including driver’s license numbers and dates of birth, through consumer-facing insurance-quote applications and agent portals.

The investigation found the insurers did not comply with the state’s Cybersecurity Regulation (Part 500), which requires that covered entities maintain policies and procedures to protect consumer data and information systems. The breaches were enabled by unaddressed weaknesses in online quote tools, including the use of pre-fill functions that auto-populated sensitive data when minimal information was entered. The investigation also revealed that two companies failed to notify regulators timely of cybersecurity events as required under the regulation.

Under the settlements, the companies agreed to pay civil penalties and to conduct comprehensive reviews of the accessibility of consumers’ NPI on their systems. The settlements further required companies to implement remedial measures, including establishing a robust cybersecurity program, creating and updating an inventory of consumer NPI, strengthening authentication controls for access to private data, and improving their ability to detect and respond to suspicious activity and cyber threats. The OAG announced that affected consumers would be offered free credit monitoring for one year.

The consent orders, which totaled over $19 million, levied penalties of between $1.85 million and $3 million on each auto insurance company.