New York Attorney General Sues National General & Allstate for Failing to Safeguard New Yorkers’ Personal Information

Key Takeaways

• Data Breaches Impacting 165,000 New Yorkers: National General’s weak cybersecurity led to two separate breaches, exposing the personal data, including driver’s license numbers, of more than 165,000 New Yorkers.
• Failure to Notify Consumers: After the first breach in 2020, National General failed to notify impacted individuals or investigate further vulnerabilities, contributing to a second, larger breach months later.
• Legal Action and Accountability: New York Attorney General Letitia James has filed a lawsuit, seeking financial penalties and an injunction, holding National General and Allstate accountable for failing to protect sensitive consumer data.
• Cybersecurity Oversights: Despite taking over National General’s cybersecurity operations, Allstate failed to prevent the second breach, exposing even more personal information.

Deep Dive

New York Attorney General Letitia James has filed a lawsuit recently against National General and its parent company, Allstate Insurance, over a string of data breaches that exposed the personal information of over 165,000 New Yorkers. The lawsuit paints a troubling picture of how weak cybersecurity practices allowed hackers to access sensitive information—and not once, but twice—due to a series of preventable oversights.

The heart of the issue lies in two back-to-back breaches in 2020 and 2021, where National General’s inadequate data security exposed the driver’s license numbers of thousands of residents. What makes this case even more concerning is National General’s failure to take swift action following the first breach, setting the stage for the second, larger breach months later. Despite knowing about the vulnerabilities, the company continued to leave its customers’ sensitive data exposed, leaving consumers at risk.

“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said Attorney General James. “National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen. It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft, and my office will always hold those who fail to do so accountable.”

Here’s how it unfolded: National General’s online auto insurance quoting systems, which are meant to make it easy for consumers to get insurance quotes, had a serious flaw. The websites were displaying full driver’s license numbers in plain text with only minimal user input. Hackers seized on this vulnerability, easily accessing sensitive data. The first breach, which took place in 2020, compromised nearly 12,000 individuals’ data, including over 9,100 New Yorkers. Despite this, National General failed to notify those affected or alert the appropriate authorities about the breach. Even worse, the company left the same type of personal information exposed on another quoting site used by independent agents.

The second breach, much larger in scale, happened months later in 2021. This time, the personal information of 187,000 individuals was exposed, including the driver’s license numbers of 155,000 New Yorkers. The breach was discovered only after attackers had gained access to the system due to the company’s ongoing data security failures. Even after Allstate took over National General’s cybersecurity function, the issues persisted, and the company did little to prevent further attacks.

Driver’s license numbers are particularly valuable to cybercriminals—they can be used to commit a wide range of fraudulent activities, including identity theft and government benefits fraud. Under New York law, companies that collect or store personal data are required to take proper measures to protect that data and notify consumers if it’s compromised. In this case, Attorney General James alleges that National General not only failed to protect the information but also misrepresented its data security practices to consumers.

This isn’t the first time Attorney General James has gone after auto insurance companies for failing to secure personal data. Last December, she secured a $500,000 settlement with Noblr for a similar data breach involving more than 80,000 New Yorkers. And in November, a joint effort between her office and the New York State Department of Financial Services (DFS) resulted in an $11.3 million settlement from GEICO and Travelers Insurance for their own data security failures that affected over 120,000 New Yorkers.

In the lawsuit, Attorney General James is seeking financial penalties for National General’s failure to safeguard personal information and an injunction to prevent further violations. This case continues to highlight the ever-growing importance of data security in an increasingly digital world. When companies handle sensitive consumer information, it’s not just their responsibility—it’s their obligation to ensure that data is kept safe. The outcome of this lawsuit could set an important precedent for how companies must approach cybersecurity and consumer protection going forward.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.