New York’s Attorney General, Letitia James, has filed a data breach lawsuit against Allstate and its subsidiary, National General, for alleged failures in protecting consumer data. The legal action alleges negligence and violations of New York state data security laws.
The Attorney General’s office claims in a press release that National General failed to adequately notify customers about a 2021 data breach. They further allege a failure to thoroughly investigate whether sensitive information was compromised beyond the initially identified scope that lead to the larger Allstate data breach in 2022.
The National General data breach lawsuit states that the breach resulted from a failure to implement reasonable data security measures, both before and after Allstate acquired the company in January 2021.
“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice in two separate cyberattacks,” said New York Attorney General Letitia James.
“National General mishandled New Yorkers’ personal information and violated the law by failing to inform them that their data was stolen.”
Allstate responded to the data breach lawsuit with a statement:
“We resolved this issue years ago, promptly securing our systems after finding vulnerabilities in online quoting tools that could have exposed driver’s license numbers. We promptly notified regulators, contacted potentially affected consumers and offered free credit monitoring as a precaution.”
National General has yet to respond to requests for comment.
The first breach exposed the driver’s license numbers of approximately 12,000 individuals, while the second compromised an additional 187,000.
The legal action seeks penalties and an injunction to prevent further violations. The Attorney General’s office emphasizes that New York law mandates appropriate data security measures for companies handling New Yorker’s personal information.
This case highlights the critical importance of robust cybersecurity practices for enterprise businesses, as detailed in our article on Top Cyber Threats Facing Enterprise Businesses in 2025.
The increasing sophistication of cyberattacks, as seen in this case and the millions of records compromised in 2024, underscores the need for proactive security measures and incident response plans.
The data breach lawsuit underscores the significant legal and financial consequences of inadequate data security. Companies must prioritize robust cybersecurity measures to protect consumer data and comply with relevant regulations. Failure to do so can result in substantial penalties and reputational damage.
