New York Attorney General Letitia James has reached a settlement with Root, an auto insurance company, securing $975,000 in penalties for failing to protect the personal information of approximately 45,000 New Yorkers. The breach involved unauthorized access to consumers' personal data, including driver’s license numbers and dates of birth, from online automobile insurance quoting applications. This compromised data was subsequently used for fraudulent unemployment claims during the COVID-19 pandemic.
Although Root does not provide insurance services in New York, its security shortcomings allowed scammers to access sensitive information belonging to New Yorkers. Previously, Attorney General James secured settlements totaling $5.1 million from GEICO and Travelers and $500,000 from Noblr for similar failures in data protection. With this latest settlement, the total amount collected from auto insurers over inadequate data security practices reaches $6.57 million.
Attorney General James emphasized the importance of robust data security measures: “When companies have poor data security practices, they put individuals at risk of identity theft and other fraud.” She added that today's settlement serves as a warning to the auto insurance industry about the consequences of neglecting consumer privacy.
Root's system exposed full driver’s license numbers in plain text within PDFs generated during their quote process. In January 2021, Root identified malicious exploitation of this vulnerability but failed to conduct adequate risk assessments or implement sufficient controls against automated attacks.
The Office of the Attorney General (OAG) concluded that Root did not adopt reasonable safeguards for protecting private information. As part of the settlement terms, Root is required to enhance its data security protocols by maintaining a comprehensive information security program and developing reasonable authentication procedures among other measures.
Attorney General James has been active in holding companies accountable for cybersecurity lapses. In March 2025, she filed a lawsuit against Allstate Insurance following exposure incidents affecting over 165,000 New Yorkers’ information. Previous actions include securing settlements with various organizations over inadequate data protection measures and launching privacy guides aimed at helping businesses and consumers safeguard their information.
The investigation into this matter was led by Assistant Attorneys General Gena Feist and Laura Mumm along with other team members under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger from the Bureau of Internet and Technology.