On November 25, 2024, the New York Attorney General (AG) published Assurances of Discontinuance No. 24-082 and No. 24-091 in which the AG, together with the New York Department of Financial Services (NYDFS) Superintendent, reached a $11.3 million settlement with Government Employees Insurance Company (GEICO) and The Travelers Indemnity Company (Travelers) over violations of the Executive Law, the General Business Law (GBL), and the New York Cybersecurity Regulation (NYCRR) following security incidents.

Background to the settlement

Both GEICO and Travelers were alerted by the NYDFS that threat actors were targeting insurers that maintained online quoting tools to be able to gain access to consumers' driver's license numbers (DLNs).

Findings of the AG and the NYDFS

Following its investigation, the AG found that threat actors exploited GEICO's quoting tool and exposed application programming interfaces (APIs), allowing them to access approximately 135,414 DLNs belonging to NY residents.

The AG concluded that GEICO did not adopt reasonable safeguards to protect private information. In particular, the AG found that GEICO failed to:

• design its consumer quoting tool securely to ensure that it transmitted only DLNs that were masked;
• make agent-facing APIs inaccessible in the code of its consumer-facing quoting tool before deploying it to the internet;
• monitor for suspicious activity on all API endpoints handling private information; and
• attribute the anomalous activities it observed to the misuse of its agent-facing APIs until a third party alerted GEICO to it.

The AG noted that after the incident, GEICO implemented additional safeguards to protect private information, including a new design for its quoting tool and additional firewall blocks.

In Travelers' case, the AG noted that Travelers failed to detect the threat actors that gained access to its portal using compromised credentials.

Therefore, in the view of the AG, both GEICO and Travelers violated GBL §899-bb and the Executive Law §63(12).

Additionally, the NYDFS found that GEICO violated the NYCRR §§500.2(b), 500.3(i), 500.3(i)(k), 500.5, 500.8(a), 500.9(a), 500.14(a), and 500.17(b), and that Travelers violated the NYCRR §§500.5(d), 500.5(k), 500.7, and 500.12(a).

Outcomes

In light of the above, the AG required GEICO and Travelers to:

• maintain a comprehensive, written information security program that is reasonably designed to protect the security, integrity, and confidentiality of private information that they collect, maintain, use, or disclose;
• employ a qualified employee responsible for implementing, maintaining, evaluating, updating, and monitoring the information security program as the Chief Information Security Officer;
• develop and maintain an inventory of all applications that collect, maintain, use, or disclose private information;
• develop, implement, and maintain written policies and procedures designed to ensure that reasonable safeguards are used to protect private information at all times, including masking, encryption, and obfuscation;
• develop, implement, and maintain a system designed to collect and monitor network activity; and
• monitor and conduct reasonable investigations when they becomes aware of a security event.

The NYDFS required GEICO to conduct a cybersecurity risk assessment and Travelers to conduct an access controls and non-public information (NPI) review of all information systems.

Additionally, GEICO agreed to pay both the AG and the NYDFS a total of $9.7 million in penalties, and Travelers agreed to pay $1.5 million.

You can read the AG's press release here, the AG's assurances here, the NYDFS press release here, and the NYDFS's consent order on GEICO here and on Travelers here.