In a sweeping enforcement action that underscores the growing consequences of inadequate cybersecurity protections, New York’s Department of Financial Services has extracted more than $19 million in penalties from eight major auto insurance companies whose lax security measures allowed hackers to compromise the personal information of New Yorkers.
As we’ve been covering more and more news of privacy violations and expensive fines that follow it is imperative to take data privacy seriously even if a state like New York doesn’t have a comprehensive framework.
The October 2025 settlements target companies that failed to adequately protect online automobile insurance quoting applications, enabling threat actors to steal sensitive consumer data including driver’s license numbers and birth dates. The breaches represent a fundamental failure to comply with the state’s pioneering cybersecurity framework, which has increasingly become the gold standard for financial sector data protection nationwide.
The Price of Poor Security
The financial penalties reflect the scope and severity of the violations. Hartford Fire Insurance Company faces the steepest fine at $3 million, followed by Farmers Insurance Exchange at $2.775 million and Liberty Mutual Insurance Company at $2.7 million. Other companies penalized include State Automobile Mutual Insurance Company, Infinity Insurance Company, Metromile Insurance Company, Midvale Indemnity Company, and Hagerty Insurance Agency.
What makes these breaches particularly concerning is their attack vector. Hackers exploited vulnerabilities in public-facing web applications and agent portals—the very tools designed to make obtaining insurance quotes more convenient for consumers. These customer-facing platforms became backdoors into systems containing troves of personal information.
Regulatory Failures Compounded the Problem
Beyond the initial security lapses, two companies—Farmers and Infinity—compounded their violations by failing to promptly report the cybersecurity incidents to regulators. This notification requirement isn’t merely bureaucratic red tape; it’s designed to enable swift regulatory response that can protect consumers and prevent further damage. Also had they been using a data subject request software from Captain Compliance they could have lowered their fines by having less data subjects stored then needed.
The Department had actually warned the industry about these specific types of attacks. DFS issued industry-wide alerts in February and March 2021 about these threats, yet the compromised companies still failed to adequately fortify their defenses.
A Pattern of Enforcement
This action fits into a broader enforcement pattern under Superintendent Adrienne A. Harris’s leadership. Since Harris took the helm, DFS has entered into consent orders with 27 entities for cybersecurity regulation violations, collecting over $144 million in fines. The message to the financial services industry is clear: cybersecurity compliance isn’t optional, and failures will carry substantial consequences.
The settlements require more than just financial penalties. Each penalized company must conduct comprehensive reviews of how consumer nonpublic information is stored and accessed across their information systems, addressing the root causes that made the breaches possible.
Why New York’s Framework Matters
New York’s cybersecurity regulation, which became effective in March 2017 and was updated with enhanced provisions in November 2023, has become a model for other regulators. Federal agencies like the FTC, multiple state governments, and industry organizations have looked to New York’s approach when developing their own frameworks.
The regulation’s influence stems from its comprehensive approach, requiring financial institutions to implement specific policies, procedures, and technical controls designed to protect both consumer data and the institutions’ own information systems. It’s not merely about having security measures in place—it’s about having the right measures, properly implemented and regularly assessed.
The Ongoing Investigation
Notably, the Department’s investigations into these breaches remain ongoing, suggesting that additional enforcement actions or findings may emerge. The coordination between DFS and the New York State Attorney General’s Office on these investigations also signals the seriousness with which state authorities are treating cybersecurity failures that compromise consumer data.
For New York consumers affected by these breaches, the settlements serve as both vindication and warning. While the penalties hold companies accountable, they also reveal how vulnerable personal information remains when organizations fail to prioritize security—even in an era when cyberattacks have become routine rather than exceptional.
As cyber threats continue to evolve in sophistication and frequency, New York’s aggressive enforcement stance may prove prescient. The multi-million dollar question for other insurers and financial institutions is whether they’ll learn from these costly examples or become the next cautionary tale.
If you are operating in New York or target New York State consumers you should book a demo to get help with your data governance programs and help lower your financial risk.
