Penalty Amount
$11,300,000
GEICO and Travelers were fined $11.3 million for data breaches that exposed personal information of over 120,000 New Yorkers due to inadequate cybersecurity. The breaches involved driver's license numbers being stolen and used in fraudulent unemployment claims. The settlements mandate enhanced security measures and penalties.
GEICO must pay $9.75 million and Travelers $1.55 million in penalties. Both companies must implement comprehensive information security programs, maintain data inventories, improve authentication, enhance logging and monitoring, and conduct cybersecurity risk assessments and penetration testing.
In-house legal teams should review all agreements related to online insurance quoting applications, including vendor contracts with software providers, customer privacy policies, and data processing agreements. Focus on clauses governing data security standards (e.g., encryption, access controls), incident response and breach notification timelines, audit rights, and third-party vendor oversight. Given the failure to protect driver's license numbers, contracts must be updated to mandate specific technical safeguards like multi-factor authentication, regular penetration testing, and strict data minimization/retention limits. Vendor agreements should include enforceable security requirements, right-to-audit provisions, and liability for breaches caused by vendor negligence.
Entity
Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company
Also known as: GEICO, Travelers
Industry
Financial ServicesOfficial Press Release
https://ag.ny.gov/press-release/2024/attorney-general-james-and-dfs-superintendent-harris-secure-113-million-auto
geico travelers aod combined
https://ag.ny.gov/sites/default/files/settlements-agreements/geico-travelers-aod-combined.pdf
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases