United States of America: Reached settlement agreement in New York Attorney General and State Department of Financial Services investigation into GEICO data breaches

On 25 November 2024, the New York Attorney General and Department of Financial Services reached a settlement agreement with GEICO, which includes USD 9.75 million in penalties for data breaches exposing the personal information of 116'000 New York residents, resulting from vulnerabilities in its quoting tools for consumers and agents. Hackers exploited this vulnerability to access driver license numbers. As a result of this investigation, GEICO is required to strengthen its cybersecurity practices, which include implementing comprehensive information security programs, maintaining data inventories with safeguards, enhancing authentication procedures and monitoring systems, and conducting threat response and penetration testing. GEICO must also conduct a cybersecurity risk assessment.