New York Sues Allstate over Data Breach Failures

A new lawsuit filed by New York Attorney General Letitia James has sparked renewed attention on the importance of cybersecurity, particularly in industries holding sensitive personal information. The case targets National General, a subsidiary of Allstate, accusing the company of failing to report a data breach and neglecting to implement reasonable safeguards to protect customer data. Here’s what we know so far and what it means for you.

The Breach That Sparked the Lawsuit

According to a recently published article on Reuters, the lawsuit stems from two data breaches that hit National General in late 2020 and early 2021. Hackers exploited vulnerabilities in the company’s online auto insurance quoting tools to steal sensitive data, including the driver’s license numbers of over 165,000 New Yorkers and nearly 200,000 individuals nationwide.

The first breach occurred between August and November 2020. Due to inadequate monitoring, National General didn’t detect the breach for two months. Worse yet, the company didn’t notify affected consumers or state regulators about the incident, leaving them in the dark.

By January 2021, a second, even larger breach was identified. This breach targeted a separate quoting tool and exposed additional license data for 155,000 New Yorkers. Experts cited weak protection measures on these public-facing websites as a major vulnerability that cybercriminals were quick to exploit.

Allegations of Negligence and Non-Compliance

Attorney General James’s lawsuit paints a picture of systemic failure, citing violations of both the state’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act and consumer protection laws. According to James, National General’s failure to secure its systems not only made the breaches possible but also allowed valuable time to pass before the company acted.

One of the core allegations is the company’s misrepresentation of its cybersecurity practices. Customers were led to believe their information was secure, but the breaches revealed glaring weaknesses. The lawsuit also criticizes National General’s failure to notify victims of the initial breach, depriving them of the opportunity to take protective actions like freezing their credit.

Attorney General James is seeking civil penalties of $5,000 per violation and additional remedies. Given the scale of the breach, the financial repercussions could add up to tens of millions of dollars for National General and its parent company, Allstate.

Allstate’s Response

Allstate, which acquired National General for $4 billion in early 2021 amidst the fallout of the breaches, has defended its response. The company stated that the vulnerabilities in its systems were promptly addressed and that affected consumers were notified and offered free credit monitoring services.

However, the lawsuit contradicts this, arguing that National General’s actions were both delayed and insufficient to meet the standards of consumers and New York law. The case now awaits assessment in a Manhattan state court, underlining ongoing concerns over cybersecurity protocols in industries managing sensitive personal data.

The Rising Cost of Data Breaches

This lawsuit is part of a broader effort by the New York Attorney General’s office to hold companies accountable for cybersecurity lapses. Over the past two years, similar enforcement actions have targeted prominent insurers like GEICO and Travelers, resulting in settlements of $11.3 million and over $1.5 million respectively.

These cases highlight a growing trend of regulators cracking down on insufficient data protection practices. For businesses, the cost of non-compliance is mounting—not just in terms of legal penalties, but in reputational damage as well.

What This Means for Consumers

If your personal information is compromised in a data breach, the risks extend beyond the immediate theft itself. Stolen driver’s license numbers, for instance, can be used for identity theft, fraudulent benefit claims, and even creating fake identities. For victims, the time and resources required to undo the damage can feel overwhelming.

While companies bear the responsibility of protecting your information, the legal process often doesn’t move quickly enough to address immediate risks to affected individuals. This makes it critical for consumers to stay proactive.

Protecting Your Data in a Digital World

While lawsuits like these emphasize the need for companies to implement stricter security protocols, individuals must also take steps to protect themselves. Here are some practical tips to reduce your risk:

• Monitor Your Accounts Regularly: Keep an eye on your bank accounts, credit reports, and identity monitoring services for unusual activity.
• Utilize Multi-Factor Authentication (MFA): Whenever possible, enable MFA on your online accounts to add an extra layer of protection.
• Freeze Your Credit: If you suspect your information has been compromised, placing a credit freeze can prevent criminals from opening new accounts in your name.
• Stay Cautious Online: Avoid clicking on links or downloading files from unknown sources, as phishing attempts often accompany large data breaches.

For businesses, the lawsuit serves as a stark reminder of the importance of proactive cybersecurity measures. Regular audits, updated security software, and compliance with data protection laws are critical steps to prevent costly breaches and protect customer trust.

Data is the lifeblood of our digital economy, but with this reliance comes responsibility. The New York Attorney General’s case against National General and Allstate underscores how vital it is for companies to prioritize cybersecurity, not as a reaction to breaches, but as a foundational practice. For consumers, the lesson is equally clear—staying informed and vigilant is your best defense in a world where your personal information is often just a few clicks away.