United States of America: New York State Attorney General reached settlement with Root over data breach affecting driver’s licence data

On 20 March 2025, the New York State Attorney General (AG) announced a settlement with Root Insurance Company following a data breach affecting approximately 45’000 New Yorkers. The breach involved Root’s online quote tool, which allowed unauthenticated access to unmasked driver’s licence numbers through a prefill function. The Office of the AG found that Root had failed to implement specific safeguards, including rate-limiting, monitoring systems, and user authentication, which enabled automated access to personal data. Consequently, Root agreed to pay USD 975'000 and to implement a number of compliance measures, including maintaining a written information security programme, monitoring for suspicious activity, and using multi-factor authentication.