A PYMNTS Company

NY Attorney General Takes Legal Action Against Allstate for Cybersecurity Failures

By  |  March 10, 2025

New York state has filed a lawsuit against Allstate’s (ALL.N) National General unit, alleging the insurer failed to properly disclose a data breach that compromised the driver’s license numbers of hundreds of thousands of individuals. According to Reuters, the lawsuit, led by New York Attorney General Letitia James, was submitted in a Manhattan state court and seeks civil penalties for the alleged lapses in data security and reporting.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    Per Reuters, the case stems from two consecutive cyberattacks in 2020 and 2021, where hackers exploited vulnerabilities in National General’s online auto insurance quoting system. These breaches exposed the personal information of over 165,000 New Yorkers and nearly 200,000 individuals nationwide.

    The complaint asserts that National General failed to notify affected drivers or relevant state authorities about the initial breach, which occurred between August and November 2020. It further claims that the company took approximately three months to detect a second breach in January 2021, signaling deficiencies in its cybersecurity measures.

    Related: FCC Responds to Cybersecurity Threats with CALEA Ruling

    According to Reuters, New York state contends that National General violated the Stop Hacks and Improve Electronic Data Security (SHIELD) Act by neglecting to implement adequate protections for customer data. The lawsuit also accuses the insurer of violating consumer protection laws by misleading customers regarding the security of their personal information.

    Allstate, headquartered in Northbrook, Illinois, acquired National General for approximately $4 billion in January 2021. The lawsuit marks a significant legal challenge for the insurer, as state officials seek to hold companies accountable for cybersecurity shortcomings and failure to comply with data protection regulations.

    As the case progresses, it could set a precedent for how insurers and financial institutions handle cybersecurity breaches and consumer notifications, reinforcing the importance of stringent data protection measures in an increasingly digital landscape.

    Source: Reuters