Auto Insurer Settles for $975K Over New York Data Privacy Claims
New York Attorney General Letitia James (D) on Thursday announced a $975,000 settlement with Root, an auto insurance company she accused of failing to protect the personal data of 45,000 consumers.
Sign up for a free preview to unlock the rest of this article
The company “failed to perform adequate risk assessments on its public-facing web applications, did not identify the plain text exposure of consumer personal information, and employed insufficient controls to thwart automated attacks,” her office said.
As part of the settlement, Root will need to maintain a comprehensive data security program, an inventory of private data, “reasonable authentication” measures and a logging and monitoring system.
The data breach “was part of an industry-wide campaign to steal consumers’ personal information, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications,” the AG said.
Protecting personal data is a “top priority” at Root, the company said in a statement: “We maintain high data security standards and, in light of this event, have made improvements to avoid fraudulent activity. Any person impacted by the breach was immediately offered credit monitoring services at the time of the incident as [a] precaution.”