The New York attorney general, Letitia James, has taken legal action against Allstate’s National General unit for alleged failures to protect consumer data and report data breaches. The lawsuit, filed in a Manhattan state court, seeks financial penalties and improved security measures in response to breaches that exposed thousands of driver’s license numbers.
The breaches, which occurred in 2020 and 2021, were linked to vulnerabilities in National General’s online auto insurance quoting tools. Hackers were able to exploit these weaknesses to access the driver’s license numbers of over 165,000 New Yorkers and nearly 200,000 individuals in total. The attorney general’s office claims that National General did not have sufficient safeguards in place to prevent unauthorized access and did not promptly notify affected individuals or state agencies.
According to the complaint, the first breach occurred between August and November 2020 but was not disclosed by National General. It was only in early 2021 that the company became aware of a second, larger breach after months of exposure. The lawsuit alleges that this failure to act violated New York’s SHIELD Act, which requires companies to secure private data and report breaches in a timely manner.
Attorney General James criticized National General’s lax security practices, stating that weak cybersecurity protections allowed bad actors to exploit the company twice within a short period. The lawsuit seeks penalties of up to $5000 per violation. Allstate, which acquired National General in January 2021, defended its response to the breaches, citing swift actions to address vulnerabilities, notify regulators, and provide credit monitoring services to affected consumers.
Despite Allstate’s actions, the lawsuit argues that the company’s response was inadequate and that stronger security measures should have been in place earlier. Erich Kron, a security awareness advocate at KnowBe4, emphasized the risks of not notifying customers about breaches, as stolen data can be used by bad actors to impersonate insurance companies and deceive customers.
This legal action is part of a broader enforcement trend against insurance companies in New York. State regulators have recently imposed fines on firms like Geico and Travelers for security lapses compromising consumer data. The attorney general’s office remains committed to holding companies accountable for failing to protect sensitive personal information, signaling potential future lawsuits for companies that do not meet data protection standards.
As cybersecurity failures face increasing scrutiny, organizations are urged to promptly contact victims of data breaches and provide actionable advice. Failure to do so could result in legal consequences and reputational damage for companies that do not prioritize data security and consumer protection.