Privacy & Information Security Law Blog

On March 10, 2025, the Attorney General of New York filed a lawsuit against several insurance companies doing business as Allstate Insurance Company (“Allstate”) and National General for alleged violations of New York’s breach notification law, general business laws and consumer protection laws. The complaint alleged that National General (which was subsequently acquired by Allstate) (1) failed to secure consumers’ driver’s license numbers, (2) failed to notify affected consumers regarding an initial data breach, and (3) misrepresented its data security practices. The AG alleged that due to National General’s alleged failure to implement reasonable data security safeguards, the company’s auto insurance quote tools exposed driver’s license numbers to unauthenticated users, allowing these driver license numbers to be harvested in repeated bot attacks during two separate data breaches.

The first breach, which occurred between August and November 2020, exposed the driver’s license numbers of approximately 12,000 individuals, including more than 9,100 New Yorkers. The AG alleged that because National General had not implemented tools to block automated attacks or monitor potentially malicious activity on its consumer auto insurance quoting websites, National General did not detect the breach for over two months. According to the AG, after detecting the first breach, National General failed to notify affected individuals and relevant regulators and identify whether driver’s license numbers or other private information was exposed in other parts of National General’s environment. National General allegedly left consumers’ full driver’s license data exposed on a separate quoting tool that was available to a network of independent agents.

The second breach, which targeted National General’s independent insurance agent system, occurred around October 2020 but was not detected by National General until late January 2021. According to the AG, Allstate only reported the first incident to consumers and regulators after its acquisition of National General closed and the second breach had been detected. Specifically, Allstate began reporting the incident to relevant regulators in February 2021 and notified New York residents in April 2021. The second breach compromised the driver’s license numbers of more than 187,000 consumers, including approximately 155,000 New Yorkers. The complaint also alleges that National General misrepresented its data security practices to consumers in both a notice sent directly to insurance policyholders and its online privacy policy. The AG is seeking civil penalties, a permanent injunction and other equitable relief.  

This lawsuit is part of a larger trend of New York’s AG taking action against auto insurance companies in connection with alleged security violations.