Superintendent Harris Secures More Than $19 Million From Auto Insurance Companies Over Data Breaches

The following information was released by the New York State Department of Financial Services (DFS):

DFS's Industry-Wide Investigation Revealed Cybersecurity Failures that Contributed to Exposure of New Yorkers' Personal Data

October 14, 2025

New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris today secured more than $19 million in penalties to New York State from eight auto insurance companies for violations of DFS's cybersecurity regulation. Inadequate cybersecurity controls allowed hackers to steal New Yorker's personal information, including driver's license numbers and dates of birth, from online automobile insurance quoting applications. The Department's investigations into these data breaches remain ongoing.

"DFS's first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers," said Superintendent Harris. "Today's actions demonstrate the Department's unwavering commitment to holding institutions accountable when they fail to meet these robust standards, and to ensuring that consumers remain protected from data breaches and other cyber risks."

As a result of today's settlements, Farmers Insurance Exchange will pay $2.775 million; Hagerty Insurance Agency, LLC will pay $1.85 million; Hartford Fire Insurance Company will pay $3 million; Infinity Insurance Company will pay $2.25 million; Liberty Mutual Insurance Company will pay $2.7 million; Metromile Insurance Company will pay $2.05 million; Midvale Indemnity Company will pay $2 million; and State Automobile Mutual Insurance Company will pay $2.5 million in civil monetary penalties to the State of New York. The Office of the New York State Attorney General and DFS conducted a coordinated investigation.

The DFS investigation concluded that the auto insurance companies did not comply with DFS's cybersecurity regulation, which requires them to implement policies, procedures, and controls designed to protect consumer data and the information systems of the financial institutions themselves. As a result, threat actors were able to access consumer nonpublic information (NPI) stored on and accessible through their information systems, including driver's license numbers, via public-facing web applications and agent portals that the insurance companies used to provide automobile insurance quotes to prospective customers. DFS alerted all regulated entities of these attacks in two industry letters, dated February 16, 2021 and March 30, 2021.

In addition to the failures described above, Farmers and Infinity failed to timely report their respective cybersecurity events. This notice requirement is a critical safeguard that enables the Department to carry out its responsibility to protect consumers.

As part of the settlements, each company has agreed to conduct remedial measures, including conducting a comprehensive review of the accessibility of consumer NPI stored on their information systems.

Under Superintendent Harris, DFS has entered into consent orders with 27 entities for violations of its cybersecurity regulation resulting in over $144 million in fines. DFS's cybersecurity regulation became effective in March 2017, with an updated amendment effective as of November 2023 designed to enhance cyber governance, mitigate risks, and strengthen protections for New York businesses and consumers against cyber threats. It has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors Nonbank Model Data Security Law.

The post SUPERINTENDENT HARRIS SECURES MORE THAN $19 MILLION FROM AUTO INSURANCE COMPANIES OVER DATA BREACHES appeared first on Insurance News | InsuranceNewsNet.