New York’s fight against data breaches faces persistent challenges

Cybersecurity failures expose gaps in justice for breach victims

November 26, 2024 Robert Abruzzese, Courthouse Editor
Attorney General Letitia James has been a strong advocate for consumer protection, securing millions in penalties from companies over data breaches. Yet, systemic issues in cybersecurity leave victims struggling for true justice. Photo: Yuki Iwamura/AP
Share this:

Attorney General Letitia James and Department of Financial Services Superintendent Adrienne Harris announced a settlement with GEICO and Travelers insurance companies, securing $11.3 million in penalties over poor data security practices. 

Despite the victory, the broader issue of data breaches remains a persistent problem, with victims often left without meaningful recourse.

The breaches, which compromised the personal information of more than 120,000 New Yorkers, exposed vulnerabilities in the companies’ systems. Hackers accessed driver’s license numbers and other private information, exploiting these weaknesses to file fraudulent unemployment claims during the height of the COVID-19 pandemic.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers’ personal information,” said Attorney General James. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”

While the settlements require the companies to enhance their cybersecurity practices, the cases highlight an ongoing issue in data security. GEICO failed to detect multiple vulnerabilities, even after being warned of industry-wide cyberattack campaigns. Similarly, Travelers’ lack of multifactor authentication and delayed response to the breach further exposed consumers to risk.

This pattern of lax security measures followed by enforcement action is not new. Attorney General James has taken steps to hold companies accountable, but enforcement often comes after the damage is done. Victims whose personal information is used to commit fraud frequently face long-lasting consequences, including financial and emotional strain, with little compensation or resolution.

GEICO’s breaches affected approximately 116,000 New Yorkers, while Travelers’ security failures exposed the data of 4,000 individuals. In both cases, hackers exploited weaknesses in the companies’ quoting tools, highlighting systemic flaws in the protection of consumer data.

Despite penalties and mandatory cybersecurity improvements, the settlements do little to address the fallout for victims. Many have already dealt with fraudulent unemployment claims and the ensuing bureaucratic hurdles.

The agreements require both companies to implement enhanced cybersecurity measures, including comprehensive risk assessments, stricter authentication procedures and better monitoring systems. While these measures are a step forward, the question remains whether they will prevent future breaches or if companies will continue to prioritize convenience over security until forced otherwise.

Attorney General James has secured millions in penalties from companies across various industries. In October 2024, a Capital Region health care provider agreed to pay $2.25 million for failing to safeguard private medical data. Similarly, in August 2024, a biotech company faced a $4.5 million settlement for compromising patient data. While these actions demonstrate a strong commitment to accountability, the recurring nature of such incidents highlights the systemic issues that have yet to be resolved.

The core problem lies in a lack of proactive security measures by many companies, coupled with insufficient deterrents for negligence. Cybersecurity regulations exist, but enforcement often occurs only after breaches have already caused harm. Companies face fines and mandates to improve security, but the penalties are often a fraction of the revenue these businesses generate, making them an insufficient incentive for meaningful change.

Additionally, consumers bear the brunt of these breaches, dealing with identity theft, fraudulent transactions and the emotional toll of navigating bureaucratic red tape. Free credit monitoring and identity theft protection, while helpful, are a limited solution that does little to compensate victims for the disruption and stress they endure.

Despite Attorney General James’ aggressive pursuit of accountability, the cycle remains largely unchanged. Companies neglect security, breaches occur, settlements are reached, and consumers are left to pick up the pieces.





Leave a Comment


Leave a Comment