Penalty Amount
$11,300,000
Consumers Affected
120,000
New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne Harris settled with auto insurers GEICO and Travelers for $11.3 million combined over data breaches that exposed over 120,000 New Yorkers’ personal information, including driver’s license numbers and dates of birth. The breaches stemmed from insufficient data security controls, allowing hackers to steal information and file fraudulent unemployment claims during the COVID-19 pandemic. The settlements require the companies to pay penalties and implement enhanced cybersecurity measures including comprehensive information security programs, data inventories, and improved access controls.
GEICO will pay $9.75 million and Travelers will pay $1.55 million in total penalties of $11.3 million. Both companies must implement comprehensive information security programs, maintain data inventories of private information, adopt reasonable authentication procedures, implement logging and monitoring systems for suspicious activity, and enhance threat response procedures. GEICO must additionally conduct a comprehensive cybersecurity risk assessment and penetration testing with an action plan to address gaps, while Travelers must review systems, assess access controls, and improve protections for nonpublic personal information (NPI).
In-house legal teams should review all vendor agreements with entities handling personal or nonpublic information to ensure robust cybersecurity requirements are included. Clauses should mandate multifactor authentication for access to sensitive systems, comprehensive information security programs, regular data inventories, and logging/monitoring systems for suspicious activity. Contracts should require vendors to comply with applicable cybersecurity regulations (e.g., DFS Cybersecurity Regulation for New York financial institutions) and conduct periodic risk assessments and penetration testing. Breach response clauses should require prompt detection and notification of breaches, and audit rights should be included to verify compliance with security requirements. For vendors handling nonpublic personal information (NPI), explicit access control and safeguard requirements must be added.
Entity
Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers)
Industry
InsuranceOfficial Press Release
https://ag.ny.gov/press-release/2024/attorney-general-james-and-dfs-superintendent-harris-secure-113-million-auto
Kx3Ng4n2NOaQ06WYnEh5xa aQ76LvlzBWvWAtpsZzuU=380 ;JSUlJSUlJQ!
https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fag.ny.gov*2Fsites*2Fdefault*2Ffiles*2Fsettlements-agreements*2Fgeico-travelers-aod-combined.pdf/1/0100019363bb075a-4a9e40aa-0726-482c-b918-d1e3c806689a-000000/Kx3Ng4n2NOaQ06WYnEh5xa_aQ76LvlzBWvWAtpsZzuU=380__;JSUlJSUlJQ!!Ke5ujdWW74OM!8sPcCdEWzzFgL_DMsj5kNdEsvslmVXMswJ0jnX0mfQsX6AzdjPX8DxZ-r7LPKroYD0nr6DAcIO4oA26aXr4GIvKJGIUkpNUQP1CU3aZrtmRw$
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases
"the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers)"
"secured $11.3 million in penalties from two auto insurance companies, the Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers)"
"GEICO will pay $9,750,000 in penalties, of which OAG secured $4,750,000 and DFS secured $5 million. Travelers will pay $1,550,000 in penalties, of which OAG secured $350,000 and DFS secured $1,200,000."
"November 25, 2024"
"New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris"
"today’s settlements"
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning residents of potential price gouging by transportation service providers during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential services like transportation during market disruptions. No specific privacy violations or enforcement actions against individual entities were announced in the alert.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning businesses against engaging in price gouging on transportation services during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential goods and services during market disruptions, with potential penalties of up to $25,000 per violation. No specific enforcement action against a particular entity was announced, only a general warning for businesses and a call for consumers to report suspected price gouging.
This press release announces New York Attorney General Letitia James leading a coalition of 21 state attorneys general, the District of Columbia, and Pennsylvania’s Governor in filing an amicus brief with the U.S. Supreme Court to stay a Fifth Circuit ruling that would reinstate in-person dispensing requirements for mifepristone, a medication used for abortion. The coalition argues the ruling is scientifically unsupported, would restrict telehealth access to reproductive care, and undermines state sovereignty over abortion policy post-Dobbs. This is not a privacy-related enforcement action, as the content addresses reproductive health policy rather than data privacy violations.
$5.0M
New York Attorney General Letitia James secured a $5 million settlement from cryptocurrency platform Uphold HQ, Inc. for promoting Cred’s fraudulent CredEarn investment product as safe and reliable, when Cred was making risky loans to uncreditworthy borrowers in China. Uphold also falsely claimed Cred had comprehensive insurance and promoted the product without registering as a broker or commodity broker-dealer under New York law. As part of the settlement, Uphold will pay $5 million to harmed investors, remit $545,189 from Cred’s bankruptcy to customers, improve due diligence policies for third-party products, and register as a broker with the OAG.
$7.4B
New York Attorney General Letitia James announced the shutdown of opioid manufacturer Purdue Pharma as part of a $7.4 billion settlement with a bipartisan coalition of 54 other state attorneys general. The Sackler family, former owners of Purdue, are permanently barred from selling opioids in the U.S. and have no involvement in Knoa Pharma, the new public benefit corporation replacing Purdue. Purdue was sentenced on criminal charges related to its role in the opioid crisis on April 28, 2026, with the new entity operating under strict oversight and excess revenue funding opioid abatement efforts.
New York Attorney General Letitia James led a bipartisan coalition of 24 state attorneys general, Puerto Rico, and New York City in sending letters to nine major credit card companies and payment processors urging them to block transactions facilitating illegal vaping product sales. The coalition cites federal and state laws prohibiting unauthorized e-cigarette sales, particularly to youth, and requests collaboration to prevent payment networks from processing such transactions. No enforcement penalties or actions were imposed as part of this initiative.