New York Attorney General Sues Allstate and National General Over Data Breaches

New York Attorney General Letitia James has filed a lawsuit against National General Insurance and its parent company, Allstate, over two significant data breaches that compromised the personal information of more than 165,000 New Yorkers. The lawsuit, announced on Monday, alleges that the insurance provider failed to implement adequate cybersecurity measures, did not properly notify affected individuals, and misrepresented its data security practices.

Details of the Data Breaches

National General, a provider of auto, home, and other insurance policies, suffered two breaches in 2020 and 2021, both of which resulted in the unauthorized exposure of driver’s license numbers. According to the New York Office of the Attorney General (OAG), these incidents were preventable and were exacerbated by the company's failure to take appropriate security precautions.

• First Data Breach (2020): Cybercriminals exploited two of National General’s online quoting websites, accessing the driver’s license numbers of approximately 12,000 individuals, including over 9,100 New Yorkers. The company did not detect the breach for two months and failed to notify affected individuals or regulatory agencies.

• Second Data Breach (2021): A third, unsecured quoting website was targeted by threat actors, leading to the exposure of personal information for 187,000 individuals, including about 155,000 in New York. This breach occurred after Allstate had acquired National General, yet security vulnerabilities remained unaddressed.

Allegations and Legal Action

Attorney General James argues that National General and Allstate violated New York's consumer protection laws by:

• Failing to secure private consumer data: The company did not implement reasonable cybersecurity measures, even after the first breach.

• Delaying breach detection and notification: National General did not notify impacted individuals or authorities about the initial breach and allowed similar vulnerabilities to persist.

• Misrepresenting its data security practices: The company provided misleading information about the effectiveness of its cybersecurity policies.

As part of the lawsuit, the OAG seeks financial penalties for these violations and an injunction to prevent further negligence in handling consumer data.

Industry-Wide Concerns

The case against Allstate and National General highlights ongoing challenges in the insurance sector regarding data security. Sensitive customer information, such as driver’s license numbers and other personally identifiable details, is a prime target for cybercriminals.

In a similar case, Texas Attorney General Ken Paxton sued Allstate and its data analytics subsidiary, Arity, in January 2025, alleging the unlawful collection, use, and sale of data belonging to 45 million individuals. These legal actions suggest increasing regulatory scrutiny over how insurers manage and protect customer information.

Implications for Consumers and Businesses

The lawsuit underscores the importance of robust data protection measures for companies handling sensitive personal information. It also serves as a reminder for consumers to stay informed about how their data is managed and to monitor their personal records for any signs of misuse.

Organizations operating in highly regulated industries, such as insurance and finance, must ensure compliance with data protection laws and proactively address security vulnerabilities to prevent costly legal repercussions and reputational damage.

As this case unfolds, it will set a precedent for corporate responsibility in data security and consumer protection, reinforcing the need for stringent cybersecurity policies across industries.