Penalty Amount
$11,300,000
Consumers Affected
120,000
New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne Harris settled with auto insurers GEICO and Travelers for $11.3 million combined over data breaches that exposed over 120,000 New Yorkers’ personal information, including driver’s license numbers and dates of birth. The breaches stemmed from insufficient data security controls, allowing hackers to steal information and file fraudulent unemployment claims during the COVID-19 pandemic. The settlements require the companies to pay penalties and implement enhanced cybersecurity measures including comprehensive information security programs, data inventories, and improved access controls.
GEICO will pay $9.75 million and Travelers will pay $1.55 million in total penalties of $11.3 million. Both companies must implement comprehensive information security programs, maintain data inventories of private information, adopt reasonable authentication procedures, implement logging and monitoring systems for suspicious activity, and enhance threat response procedures. GEICO must additionally conduct a comprehensive cybersecurity risk assessment and penetration testing with an action plan to address gaps, while Travelers must review systems, assess access controls, and improve protections for nonpublic personal information (NPI).
In-house legal teams should review all vendor agreements with entities handling personal or nonpublic information to ensure robust cybersecurity requirements are included. Clauses should mandate multifactor authentication for access to sensitive systems, comprehensive information security programs, regular data inventories, and logging/monitoring systems for suspicious activity. Contracts should require vendors to comply with applicable cybersecurity regulations (e.g., DFS Cybersecurity Regulation for New York financial institutions) and conduct periodic risk assessments and penetration testing. Breach response clauses should require prompt detection and notification of breaches, and audit rights should be included to verify compliance with security requirements. For vendors handling nonpublic personal information (NPI), explicit access control and safeguard requirements must be added.
Entity
Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers)
Industry
InsuranceOfficial Press Release
https://ag.ny.gov/press-release/2024/attorney-general-james-and-dfs-superintendent-harris-secure-113-million-auto
Kx3Ng4n2NOaQ06WYnEh5xa aQ76LvlzBWvWAtpsZzuU=380 ;JSUlJSUlJQ!
https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fag.ny.gov*2Fsites*2Fdefault*2Ffiles*2Fsettlements-agreements*2Fgeico-travelers-aod-combined.pdf/1/0100019363bb075a-4a9e40aa-0726-482c-b918-d1e3c806689a-000000/Kx3Ng4n2NOaQ06WYnEh5xa_aQ76LvlzBWvWAtpsZzuU=380__;JSUlJSUlJQ!!Ke5ujdWW74OM!8sPcCdEWzzFgL_DMsj5kNdEsvslmVXMswJ0jnX0mfQsX6AzdjPX8DxZ-r7LPKroYD0nr6DAcIO4oA26aXr4GIvKJGIUkpNUQP1CU3aZrtmRw$
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases
"the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers)"
"secured $11.3 million in penalties from two auto insurance companies, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers)"
"GEICO will pay $9,750,000 in penalties, of which OAG secured $4,750,000 and DFS secured $5 million. Travelers will pay $1,550,000 in penalties, of which OAG secured $350,000 and DFS secured $1,200,000."
"November 25, 2024"
"New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris"
"today’s settlements"
$5.0M
New York Attorney General Letitia James secured a settlement with cryptocurrency platform Uphold HQ, Inc. for misleading investors by promoting Cred’s fraudulent CredEarn investment product as a safe, reliable savings option when it involved risky loans to uncreditworthy borrowers. Uphold will pay $5 million to harmed investors, redirect $545,189 in Cred bankruptcy proceeds to affected customers, and implement enhanced due diligence policies for third-party investment products. Uphold must also register as a broker with the Office of the Attorney General.
New York Attorney General Letitia James led a bipartisan coalition of 24 state attorneys general, Puerto Rico, and New York City in sending letters to nine major credit card companies and payment processors urging them to block transactions facilitating illegal vaping product sales. The coalition cites federal and state laws prohibiting unauthorized e-cigarette sales, particularly to youth, and requests collaboration to prevent payment networks from processing such transactions. No enforcement penalties or actions were imposed as part of this initiative.
New York Attorney General Letitia James and Tennessee Attorney General Jonathan Skrmetti, leading a coalition of 40 state attorneys general, secured a jury verdict on April 15, 2026, against Live Nation and Ticketmaster for maintaining illegal monopolies in the live events industry. The jury found the companies engaged in anticompetitive practices including exclusive venue contracts, forcing competitors out of the market, and limiting artist performance choices, resulting in overcharged consumers. Remedies, including potential financial penalties and a monopoly breakup, are pending court approval.
New York Attorney General Letitia James, joined by 16 other states, sued the U.S. Department of Education over a new survey requiring colleges to submit extensive student data, arguing it violates the Administrative Procedure Act and threatens student privacy. The lawsuit seeks to block the mandate and prevent penalties for non-compliance.
A bipartisan coalition of 35 state attorneys general led by New York Attorney General Letitia James sent a demand letter to xAI on January 26, 2026, requiring the company to address its Grok chatbot’s creation and sharing of nonconsensual intimate images, including child sexual abuse material. The AGs demand that xAI implement safeguards to prevent Grok from generating such content, delete existing harmful content, suspend offending users, and give X users control over whether their content can be edited by Grok. No monetary penalty has been imposed as this is a pre-enforcement demand for action.
New York Attorney General Letitia James sent a letter to Instacart demanding information about its use of algorithmic pricing, after a study found users were charged up to 23% more for identical products. The AG warned that Instacart’s pricing disclosures are non-compliant with New York’s Algorithmic Pricing Disclosure Act, which requires prominent notices near product prices when personal data is used to set prices. Instacart must provide details on its pricing experiments, automated tools, and compliance efforts with the state’s disclosure requirements.