GEICO, Travelers Data Breaches Show Why Regulation is Important, Say Lawyers

“Insurance companies have a lot of information about you, which they need in order to perform their functions,” said Gail Gottehrer, vice president of global litigation at Del Monte Fresh Produce Company. That information is “only going to become more precise, more detailed, reveal more about you,” which, “combined with other information,” proves “why it is important that these industries be regulated and that you have a trained, competent person knowing how you're protecting this information.”

The New York AG office's investigation found that threat actors were able to access personal information of customers of GEICO and Travelers due to poor data security, despite being informed by the Department of Financial Services (DFS) of an industry-wide cyberattack to obtain driver’s license numbers. The resulting breach affected more than 120,000 New Yorkers, said the AG. GEICO had to pay nearly $10 million and Travelers had to pay $1.55 million under the settlement.

Leeza Garber, a cybersecurity and privacy attorney, predicted that the DFS will issue more alerts and reminders about these kinds of cyberattacks in the future, and that should be helpful for companies. “The New York DFS is certainly going to be a leader in establishing the best practices, because they are diving headfirst into investigations,” she said.

A DFS cyber regulation that took effect in 2017 “requires financial services companies to protect nonpublic information,” as well as outlines things like risk assessments and comprehensive cybersecurity programs, Gottehrer said.

The DFS rule has been amended twice, reflecting the department's commitment to regulation, Garber said. “They definitely focus on a multi-pronged approach to evaluating cyber risk and monitoring it,” she said. “It also goes to the fact that they want to highlight that this is an evaluating, evolving, moving target.”