New York Attorney General Sues National General and Allstate Over Data Breaches

New York Attorney General Letitia James has filed a lawsuit against National General and its parent company, Allstate Insurance, alleging they failed to protect consumer data, resulting in two major data breaches in 2020 and 2021. The breaches exposed the driver’s license numbers of over 165,000 New Yorkers after attackers exploited vulnerabilities in National General’s online quoting systems. The lawsuit claims that National General failed to notify affected consumers and neglected to implement adequate security measures, even after Allstate took over its data security operations.

The first breach, discovered in late 2020, affected two public-facing websites and exposed nearly 12,000 individuals’ data, including more than 9,100 New Yorkers. National General allegedly took two months to detect the breach and failed to notify impacted individuals. A second breach occurred in early 2021 when hackers exploited similar vulnerabilities on a separate quoting website used by independent insurance agents. This breach compromised the personal information of another 187,000 consumers, including approximately 155,000 New Yorkers.

The lawsuit argues that National General violated state consumer protection laws by failing to secure sensitive data, misrepresenting its cybersecurity practices, and neglecting to notify affected consumers in a timely manner. James is seeking penalties and an injunction to prevent further data security lapses. The case underscores the growing regulatory scrutiny on insurance companies to safeguard consumer information from cyber threats.