New York State has fined eight major auto insurance companies over $19 million after an investigation uncovered major cybersecurity failures that exposed the personal data of residents, including driver’s license numbers and birthdates.
The settlement—announced October 14, 2025—follows a wide-ranging investigation led by Superintendent Adrienne Harris of the New York Department of Financial Services (DFS).
Which companies were fined?
The DFS imposed civil penalties on the following insurers:
- Hartford Fire Insurance Company – $3 million
- Farmers Insurance Exchange – $2.775 million
- Liberty Mutual Insurance Company – $2.7 million
- Infinity Insurance Company – $2.25 million
- Metromile Insurance Company – $2.05 million
- Midvale Indemnity Company – $2 million
- State Automobile Mutual Insurance Company – $2.5 million
- Hagerty Insurance Agency, LLC – $1.85 million
These fines come as part of a joint investigation between DFS and the New York State Attorney General’s Office.
What went wrong?
The companies failed to follow DFS’s cybersecurity regulation, which requires financial institutions to:
- Protect consumer data
- Secure online systems that store sensitive information
- Detect and report cybersecurity events
In these cases, online quote tools and agent portals allowed unauthorized access to nonpublic information (NPI), including:
- Driver’s license numbers
- Dates of birth
- Other personal identifiers
The exposure was linked to weak cybersecurity measures and delayed breach reporting by some insurers, notably Farmers and Infinity, who failed to notify regulators promptly.
What’s being done now?
Each insurer has agreed to implement comprehensive remedial measures, which include:
- Reviewing all systems storing consumer data
- Enhancing web application security
- Strengthening reporting protocols for cyber incidents
DFS first warned the industry about these vulnerabilities back in early 2021 through two formal bulletins—yet several companies failed to act in time.
DFS: Leading the way in cybersecurity enforcement
Superintendent Harris emphasized the importance of strong digital safeguards, calling the DFS framework a “national model” for protecting consumer data in financial services.
Since its launch in 2017, DFS’s cybersecurity regulation has led to over $144 million in fines across 27 enforcement actions. The latest amendments—effective as of November 2023—include enhanced governance rules and stronger protections against evolving cyber threats.
Other regulators have taken notice. DFS’s model has inspired frameworks by the FTC, the National Association of Insurance Commissioners, and multiple U.S. states.
What this means for New Yorkers
This enforcement action sends a clear message: failing to safeguard personal data is no longer acceptable.
Consumers across New York—and beyond—can expect increased scrutiny of how insurance providers protect sensitive information online. While the fines are significant, the focus now shifts to how these companies will prevent future breaches.
This content is brought to you by the FingerLakes1.com Team. Support our mission by visiting www.patreon.com/fl1 or learn how you send us your local content here.