New York Attorney General Letitia James on Monday filed a lawsuit against insurance firm National General and its parent company Allstate over two data breaches.
National General, which offers home, vehicle, and other insurance coverage, suffered two data breaches in 2020 and 2021, resulting in the driver’s license numbers of more than 165,000 New Yorkers being compromised.
According to the New York Office of the Attorney General (OAG), National General failed to notify the impacted individuals after the first data breach, and did not take the necessary precautions to protect its systems, which led to the second incident.
Even after it was acquired by Allstate Insurance Company (Allstate) in 2020, National General failed to implement reasonable data security measures, the Attorney General says.
“Attorney General James is seeking penalties for National General’s failure to institute reasonable data security safeguards and notify consumers, and an injunction to stop any continued violations,” the New York OAG says.
The first incident occurred in 2020, when threat actors targeted two of National General’s online quoting websites to expose the driver’s license numbers of roughly 12,000 individuals, including over 9,100 New Yorkers.
National General did not detect the data breach for two months, failed to notify the impacted individuals and the appropriate state agencies, and did not secure a third quoting website that exposed driver’s license numbers.
In February 2021, threat actors targeted this website and compromised the personal information of 187,000 people, including roughly 155,000 New Yorkers.
“National General’s data security failures continued after The Allstate Corporation acquired National General and Allstate took control of National General’s data security function,” the New York OAG says.
Attorney General James alleges that the insurance giant violated New York state’s consumer protection laws by failing to properly secure the private data, that it misinterpreted its cybersecurity practices, and that it failed to provide the appropriate notifications after the first data breach occurred.
In January, Texas Attorney General Ken Paxton filed a lawsuit against Allstate and its subsidiary Arity for unlawfully collecting, using, and selling the data of 45 million people.
Related: Wisconsin Insurer Discloses Data Breach Impacting 950,000 Individuals
Related: Massachusetts Health Insurer Data Breach Impacts 2.8 Million
Related: Apple to Pay $95 Million to Settle Lawsuit Accusing Siri of Eavesdropping
Related: Unconfirmed Hack of 2.9 Billion Records at National Public Data Sparks Media Frenzy Amid Lawsuits
