The DFS announced the penalties in a Tuesday (Oct. 14) press release, saying that all the companies failed to protect consumer data and that two of them also failed to report data breaches in a timely manner.
The companies include Farmers Insurance Exchange, Hagerty Insurance Agency, Hartford Fire Insurance Company, Infinity Insurance Company, Liberty Mutual Insurance Company, Metromile Insurance Company, Midvale Indemnity Company, and State Automobile Mutual Insurance Company, according to the release.
“DFS’s first-in-the-nation cybersecurity framework has become a model for safeguarding the integrity of our financial system and the personal information of millions of New Yorkers,” New York State Department of Financial Services Superintendent Adrienne A. Harris said in the release.
“Today’s actions demonstrate the Department’s unwavering commitment to holding institutions accountable when they fail to meet these robust standards, and to ensuring that consumers remain protected from data breaches and other cyber risks,” Harris said.
Reached by PYMNTS, The Hartford said in an emailed statement that the company’s settlements related to data incidents caused by threat actors in 2021.
Advertisement: Scroll to Continue
“The threat actors exploited insurance companies’ online quoting platforms to obtain certain personally identifiable information, in particular driver’s license numbers, that was then used to apply for fraudulent unemployment claims in New York during the COVID-19 pandemic,” the statement said.
“We identified and quickly resolved the issues in 2021 by further securing our online quoting systems from potential misuse,” The Hartford’s statement concluded.
The other seven insurance companies did not immediately reply to PYMNTS’ request for comment.
According to the DFS press release, the eight companies failed to implement required policies, procedures and controls designed to protect consumer data. As a result, threat actors were able to access consumer data through the public-facing web portals and agent portals that the companies used to provide insurance quotes, the release said.
In addition, two of the companies — Farmers and Infinity — failed to report their data breaches in a timely manner, the DFS said.
The settlements announced Tuesday require each of the eight companies to pay civil monetary penalties ranging from $1.85 million to $3 million and to conduct remedial measures, including a review of the accessibility of consumer data stored on their information systems, according to the release.
In an earlier, separate move, the DFS said in October 2024 that it issued new guidance to help DFS-regulated entities address and combat cybersecurity risks arising from artificial intelligence.
The DFS said the guidance does not impose new requirements but helps institutions meet their existing obligations under cybersecurity regulations.
