Several automobile titans have been slapped with physical monetary sanctions after computer hackers broke into their database in a data breach and swiped the data of thousands of New Yorkers’ personal information. Regulators from the state found atrocious security loopholes that made driver’s license numbers and birth dates available for viewing by using vulnerable online quotation software. This historic enforcement action marks a new era of responsibility.
DFS probes expose mass cybersecurity compliance failure
The New York Department of Financial Services launched an industry-wide investigation statewide that found system-wide cybersecurity weaknesses in several of the biggest auto insurance providers. Hackers had been logging into poor security controls to view sensitive consumer data, including driver’s license numbers and dates of birth, in hackable web-based auto insurance quote programs, as well as through agents’ websites. It was found during the survey that these firms hadn’t implemented the mandated policy, procedure, and controls described in DFS information security rules.
The compromises were through publicly vulnerable auto insurance business internet applications that provided quotes to potential consumers. DFS published two business alarm advisories on March 30, 2021, and February 16, 2021, to alert all regulated parties to these persistent attacks. That such compromises were happening with such frequency underscored the extent to which the entire auto insurance business had become susceptible to sophisticated cyber attacks.
Reporting lapses, egregious compound violations, and regulatory
Farmers Insurance Exchange and Infinity Insurance Company risked double or nothing for their cybersecurity errors by failing to publish their respective security breach notices within statutorily required timeliness, compromising notice requirements in favor of regulatory surveillance and consumer protection coordination.
Eight industry giants hit with substantial fines
The enforcement action fined eight large auto insurers a total of $1.85million to $3 million each, indicating just how serious they were about their cybersecurity vulnerabilities. Hartford Fire Insurance Company pays the most at $3 million, Liberty Mutual Insurance Company pays 2.7 million for failing to implement sufficient security controls, Farmers Insurance Exchange pays $2.775 million, and State Automobile Mutual Insurance Company pays New York 2.5 million.
There are similarly other fines such as Infinity Insurance Company at 2.25million, Metromile Insurance Company at 2.05 million, Midvale Indemnity Company at 2million, and Hagerty Insurance Agency at 1.85 million. Such huge money fines are a tangible representation of the regulatory inclination to fine institutions for not being terribly good at protecting consumer information.
“These actions today reflect the Department’s dedication to constitution-based enforcement when institutions are unable to enforce themselves to these high standards, and its dedication to consumer protection against data breach and other cyber harms” – Superintendent Harris
Joint enforcement reflects synchronization of enforcement
New York State Attorney General’s Office collaborated with DFS on this collaborative effort, reflecting cross-agency action against cybersecurity breaches endangering consumer protection and financial system integrity across regulatory boundaries.
Enforcement sets new norms of information security responsibility
This total of $19 million as a total penalty was a steep increase in information security enforcement, which, in case of cybersecurity rule violation, is worth more than 144 million to Superintendent Harris’s twenty-seven institutions. The enforcement is a reflection of regulatory priority, including breach occurrence, such as compliance program integrity coverage, and breach incident reporting requirements. These sanctions make late notice turn violations of information security come as regulatory compliance failures of historical proportions with horrendous financial costs.
Impact on existing management
- Penalty entities: Twenty-seven organizations for information security infractions
- Total fines: Over $144 million in penalties imposed
- Regulatory structure: First-in-territory model with other jurisdictions following
- Industry restructuring: Standard security measures for financial products
New York’s strong enforcement of cybersecurity increases the stakes on the protection of financial institutions’ data, driving compliance with regulations as a voluntary, optional good to the background and opening doors for a business imperative. Those record fines place standards for accountability that protect millions of consumers and improve the integrity of financial systems against looming threats of cyber attacks.