If you are in a hurry -> Best Practices to Avoid Similar Claims

Introduction

In March 2025, New York Attorney General Letitia James filed suit against Allstate Insurance Company and its subsidiary, National General, over two cyberattacks in 2020–2021.

The complaint alleges National General’s poor data security exposed drivers’ license numbers of nearly 200,000 customers (about 165,000 New Yorkers) via vulnerable online quoting tools (New York sues Allstate over data breach, alleged security lapses | Reuters).

According to the AG, National General failed to report the first breach and had “weak cybersecurity” safeguards, in violation of state law (New York sues Allstate over data breach, alleged security lapses | Reuters) (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information).

This case cites violations of New York’s SHIELD Act (requiring “reasonable safeguards” for personal data) and consumer protection laws for misleading statements about security (New York sues Allstate over data breach, alleged security lapses | Reuters) (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information).

Breach Timeline and Details

Between August and November 2020, hackers exploited vulnerabilities in National General’s public auto-quote websites.

Those sites were designed to display full driver’s license numbers (DLNs) in plain text with minimal user input (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

As a result, nearly 12,000 customers’ DLNs were harvested (including about 9,100 New Yorkers) without triggering any alarms (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

Due to inadequate monitoring and lack of attack controls, National General did not detect this breach for two months (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

Rather than immediately remediating the vulnerability, National General left another quoting site (for independent agents) similarly exposed (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

In October 2020 the attackers then targeted that agent portal, which National General already knew was insecure.

This second breach compromised DLNs of more than 187,000 individuals (about 155,000 New Yorkers) and other sensitive data (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

National General only discovered the larger breach in January 2021, roughly three months later (New York sues Allstate over data breach, alleged security lapses | Reuters) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

In both attacks, data were easily accessed because the quoting tools did not properly authenticate or limit access to DLNs (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

Lawsuit Allegations and Claims

The New York complaint charges that National General – an Allstate unit acquired in early 2021 (New York sues Allstate over data breach, alleged security lapses | Reuters) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America) – violated multiple laws by its conduct.

Key claims include:

• Failure to Report a Breach: National General allegedly did not notify affected drivers or state regulators after the first breach, violating New York’s breach-notification requirements (New York sues Allstate over data breach, alleged security lapses | Reuters) (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information). The SHIELD Act and state cybersecurity regulations require prompt notice when sensitive data are accessed (New York sues Allstate over data breach, alleged security lapses | Reuters) (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information).

• Inadequate Data Security (SHIELD Act): The suit says NG lacked “reasonable” technical safeguards. National General’s quoting tools exposed DLNs in plain text and lacked basic protections against automation, reflecting a failure of due care (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America). New York law (the Stop Hacks and Improve Electronic Data Security Act) mandates robust security measures; the AG alleges NG breached this duty (New York sues Allstate over data breach, alleged security lapses | Reuters) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

• Consumer Protection Violations: The complaint asserts that NG misrepresented its cybersecurity posture to customers. Its privacy notices and policies promised safeguards, but in practice DLNs were openly exposed (New York sues Allstate over data breach, alleged security lapses | Reuters). This is alleged to violate NY’s General Business Law (deceptive trade practices) for misleading customers about data safety (New York sues Allstate over data breach, alleged security lapses | Reuters).

• Negligence/Gross Mismanagement: By failing to train staff on incident response and not involving IT security promptly, NG’s leadership was negligent in protecting consumer data. The lawsuit emphasizes that NG’s own security assessments identified thousands of unremediated vulnerabilities (12,000 in one quarter) and that employees didn’t even know there was an incident-response process.

• Requested Remedies: The AG seeks civil penalties (up to $5,000 per violation under NY law (New York sues Allstate over data breach, alleged security lapses | Reuters)), injunctive relief, and restitution. She aims to force Allstate/National General to improve cybersecurity practices and to notify all affected consumers properly (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York sues Allstate over data breach, alleged security lapses | Reuters).

  
  

Technical Failures Cited

The lawsuit identifies concrete cybersecurity breakdowns at National General.

The quoting websites exposed DLNs without authentication (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information).

An external assessment noted that, even in early 2020, NG had huge gaps (e.g. failing PCI scans with 12,000 unresolved vulnerabilities).

Internal policies were outdated: for example, controls addressed fax/mail transmission but not web-based data.

Employees who found the November 2020 breach were unaware that a formal incident-response plan existed.

NG had failed to train anyone on identifying or reporting a breach. As one Allstate cybersecurity leader noted, “it [did not] appear that the broader [National General] technology organization understood when it was appropriate to engage cybersecurity or privacy or the law department” during an incident.

By contrast, the lawsuit argues, companies must follow sound controls (encryption, access controls, logging, etc.) and be prepared to contain intrusions quickly.

National General’s delays allowed hackers to extract data over months.

According to the complaint, even after the first attack was detected in late 2020, NG did not scan its systems or remove the exposed data before the second attack (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

Allstate’s Response and Industry Context

Allstate has stated that it “resolved this issue years ago,” claiming it secured the systems, notified regulators and consumers, and offered free credit monitoring (New York sues Allstate over data breach, alleged security lapses | Reuters) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

The company emphasizes that the vulnerabilities were fixed after Allstate took over National General’s IT in early 2021.

Nonetheless, the lawsuit highlights that the attacks began before Allstate’s acquisition, and that the alleged failures persisted even after Allstate assumed responsibility (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information).

This enforcement action follows other recent New York cases.

In late 2024, the NY AG and NY DFS fined GEICO and Travelers for lax security (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

The insurance sector in New York is clearly under scrutiny for consumer-protection and data-security compliance.

CISOs in insurance and financial services should note that regulators may treat weak cybersecurity and reporting failures as violations of law, not just internal errors.

Implications for CISOs

For cybersecurity leaders, this case underscores several points:

• Compliance is enforceable: Laws like NY’s SHIELD Act require not only policies but demonstrable safeguards. A lapse in basic controls (exposed DLNs) can be a legal violation (New York sues Allstate over data breach, alleged security lapses | Reuters) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

• Breach response readiness: Failing to detect or report a breach can trigger statutory penalties and damage trust. NG’s multi-month blind spot led to claims of negligence and fines (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York sues Allstate over data breach, alleged security lapses | Reuters).

• Post-merger security integration: M&A can introduce gaps if the acquired firm’s practices are weak. Allstate/National General reportedly struggled to align NG’s practices after 2021 (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information). CISOs should ensure due diligence addresses not just policies on paper but actual security posture.

• Transparency and policies: Public statements or privacy notices that overpromise (e.g. “we maintain safeguards”) can be used as evidence of misrepresentation if practice falls short (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America). Align external promises with technical reality.

  
  

In summary, regulators may hold executives accountable for lapses that threaten consumer data.

CISOs should view this lawsuit as a warning: implement layered defenses (strong authentication, encryption, intrusion monitoring, incident response training, etc.), and have robust breach-notification processes ready.

Simple “cyber hygiene” steps can mitigate risk – for example, using strong passwords, up-to-date software, multi-factor authentication and least-privilege access controls dramatically improve security (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA).

Developing and exercising a tailored incident response plan is also crucial (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA).

Best Practices to Avoid Similar Claims

• Restrict Data Exposure: Never display or log sensitive identifiers (like full DLNs) in plaintext on public interfaces. Apply input validation and data obfuscation by default (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

• Implement Robust Monitoring: Use automated detection (SIEM/IDS) to spot unusual access patterns quickly. Review system logs continuously to detect intrusions within hours, not months.

• Keep Software Patched: Regularly scan for vulnerabilities and remediate them promptly. A backlog of 12,000 unpatched flaws was noted at National General – avoid such large gaps with routine patch management.

• Strengthen Authentication: Use strong credentials and multi-factor authentication for all portals (including agent access). Ensure any partner or agent portal meets the same security standards.

• Incident Response Training: Educate all staff (not just IT) on how to recognize and report security incidents. The NY complaint noted that employees did not know what constituted a breach. Simulate breach scenarios and update the IR plan regularly.

• Timely Breach Notification: Be fully aware of legal requirements (e.g. NY SHIELD Act) for notifying authorities and affected customers. Establish clear internal procedures so that detection triggers immediate action and compliance reporting.

• Vendor and Third-Party Risk Management: Regularly audit third-party systems (like agent tools) that access your data. Ensure contracts require the same security controls and incident reporting obligations.

• Accurate Privacy Commitments: Align your privacy policies and customer communications with actual security practices. Avoid vague or inaccurate statements about data protection that could be deemed misleading.

  
  

By following these practices – many of which are endorsed by federal guidance like CISA and NIST (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA) – CISOs can better protect customer data and reduce legal and regulatory risk.

References

• Jonathan Stempel, “New York sues Allstate over data breach, alleged security lapses,” Reuters, Mar. 10, 2025 (New York sues Allstate over data breach, alleged security lapses | Reuters) (New York sues Allstate over data breach, alleged security lapses | Reuters).

• NY Attorney General Letitia James, “Attorney General James Sues National General and Allstate Insurance for Failing To Protect New Yorkers’ Personal Information,” NY OAG Press Release, Mar. 10, 2025 (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information) (Attorney General James Sues National General and Allstate Insurance for Failing to Protect New Yorkers’ Personal Information).

• Matthew Sellers, “New York AG goes after National General and Allstate over five year old cyberattack,” Insurance Business America, Mar. 11, 2025 (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America) (New York AG goes after National General and Allstate over five year old cyberattack | Insurance Business America).

• Cybersecurity and Infrastructure Security Agency (CISA), “Cybersecurity Best Practices” (webpage) (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA).