The New York Department of Financial Services (DFS) will collect more than $19 million from eight auto insurers after investigators found cybersecurity failures that exposed drivers’ license numbers and dates of birth through online quoting systems, according to a state announcement Oct. 14.
The penalties apply to:
• Farmers Insurance Exchange ($2.8 million)
• Hagerty Insurance Agency ($1.85 million)
• Hartford Fire Insurance Co. ($3 million)
• Infinity Insurance Co. ($2.25 million)
• Liberty Mutual Insurance Co. ($2.7 million)
• Metromile Insurance Co. ($2 million)
• Midvale Indemnity Co. ($2 million)
• State Automobile Mutual Insurance Co. ($2.5 million)
DFS said the companies failed to comply with its cybersecurity regulation, which requires covered entities to maintain policies, procedures and controls to protect consumer data and their own systems.
Hackers accessed nonpublic information via public-facing web applications and agent portals used to deliver online auto insurance quotes, DFS said. As part of the settlements, each company agreed to remedial actions, including reviews of how consumer data is stored and accessed.
DFS also said Farmers and Infinity failed to timely report their cybersecurity events.
DFS noted that since the regulation took effect in March 2017, 27 companies have paid more than $144 million in fines for violations. An updated amendment, effective November 2023, enhanced cyber governance, mitigated risks and strengthened protections for New York businesses and consumers against cyber threats.
