Security Update:

CISA’s New Microsoft 365 Security Mandate: What You Need to Know!

February 4, 2025

Security Breaches|Security Practices

What Companies Can Learn from New York’s Data Breach Fines: Lessons from PayPal, Geico, and Travelers

What Companies Can Learn from New York’s Data Breach Fines: Lessons from PayPal, Geico, and Travelers

As cyber threats continue to escalate, regulatory bodies are cracking down on companies that fail to protect customer data. New York, in particular, has taken a strong stance against cybersecurity negligence, imposing hefty fines on organizations that violate data protection laws. However, companies outside of New York should also take note, as other states and federal agencies are ramping up their cybersecurity enforcement efforts.

Recent penalties against PayPal, Geico, and Travelers highlight the consequences of inadequate security measures. This blog explores these cases, the broader legal framework that empowers regulatory bodies to act, and how businesses—especially those operating in cloud and SaaS environments—can avoid similar pitfalls, regardless of their location.

Case Studies: Recent Data Breach Fines

1. PayPal: The $2 Million Fine

In a recent enforcement action, PayPal was fined $2 million by the New York State Department of Financial Services (NYDFS) for failing to adequately protect customer accounts. The breach, which occurred in December 2022, allowed unauthorized access to user data, exposing sensitive financial information. NYDFS identified gaps in PayPal’s security measures and imposed the fine as a warning to financial institutions handling sensitive consumer data.

Key Takeaways:
  • Weak authentication and security gaps can lead to regulatory scrutiny, not just in New York but across the U.S. and globally.
  • Financial institutions and businesses handling sensitive customer data must implement multi-factor authentication (MFA) and advanced encryption.
  • Incident response plans must be regularly tested to ensure rapid containment and mitigation of breaches.
  • Companies should adopt a zero-trust security model, ensuring continuous verification of users and devices accessing sensitive systems.

2. Geico: The $6 Million Fine

In 2020, Geico suffered a data breach (involving a series of cyberattacks) due to vulnerabilities in its online sales system, which allowed attackers to access customer driver’s license numbers. The NYDFS fined the company $6 million in November 2024 for failing to implement adequate safeguards to protect personally identifiable information (PII).

Lessons from Geico’s Breach:
  • Security misconfigurations can have severe legal and financial consequences, making continuous monitoring essential.
  • SaaS application security must be a top priority, as many breaches exploit weaknesses in customer-facing portals.
  • Companies should conduct penetration testing and vulnerability scanning regularly to detect exploitable flaws.
  • Implementing real-time anomaly detection and data-driven security analytics can help identify and mitigate threats before they escalate.
  • Organizations must enforce strict data access controls to minimize exposure in case of a breach.

3. Travelers: The $5.3 Million Fine

The insurance giant Travelers was also penalized for cybersecurity failings. The 2021 breach stemmed from weaknesses in the company’s security controls, which led to unauthorized access to customer information. NYDFS imposed a $5.3 million fine in November 2024, reinforcing the importance of strict adherence to cybersecurity regulations.

Key Insights:
  • Strong identity and access management (IAM) controls are essential to limit unauthorized access to sensitive data.
  • Companies should adopt least-privilege access principles, ensuring employees and third parties only have access to the data necessary for their roles.
  • Cyber risk assessments must be an ongoing process, not a one-time activity, to stay ahead of evolving threats.
  • Employee training programs must be regularly updated to address the latest social engineering and phishing attack trends.
  • Cloud and SaaS security should be proactively managed to prevent misconfigurations and unauthorized data exposure.

The Legal Framework: Cybersecurity Regulations Beyond NY

While New York has some of the most stringent cybersecurity laws, other states and regulatory bodies are following suit. Companies should be aware of key regulations, including:

NYDFS Cybersecurity Regulation (23 NYCRR 500)

  • Requires financial institutions to implement a cybersecurity program.
  • Mandates periodic risk assessments and security incident reporting.
  • Imposes strict rules on data encryption and multi-factor authentication.

SHIELD Act

  • Applies to all businesses handling New York residents’ private data.
  • Requires reasonable security measures to protect customer information.
  • Expands the definition of a data breach to include unauthorized access.

Other Regulations to Consider

  • California Consumer Privacy Act (CCPA): Requires businesses to protect consumer data and disclose breaches.
  • General Data Protection Regulation (GDPR – EU): Imposes strict data security requirements on companies handling EU customer data.
  • FTC Safeguards Rule: Enforces security measures for non-bank financial institutions in the U.S.

What This Means for Businesses: Compliance & Security Best Practices

Organizations, especially those leveraging cloud and SaaS platforms, must take proactive steps to ensure compliance, regardless of location:

  1. Enhance Security Posture – Implement strong IAM policies, encryption, and continuous monitoring.
  2. Regular Risk Assessments – Conduct security audits to identify vulnerabilities before attackers do.
  3. Incident Response Planning – Develop and test a robust breach response plan.
  4. Cloud & SaaS Security Optimization – Ensure third-party vendors meet compliance standards.
  5. Employee Training – Conduct cybersecurity awareness training to reduce human error risks.
  6. Compliance with State and Federal Laws – Stay updated with evolving cybersecurity regulations across different regions.
  7. Adopt Security Tools – Automate threat detection and response to minimize human intervention in security processes.

Consult With CheckRed to Improve Your Compliance Posture

New York’s aggressive enforcement of cybersecurity laws sends a clear message: companies must prioritize data protection or face severe consequences. The fines against PayPal, Geico, and Travelers underscore the importance of compliance with NYDFS regulations and the SHIELD Act, but these lessons extend far beyond New York’s borders.

Businesses must take a proactive approach to cybersecurity, particularly those using cloud and SaaS environments. Investing in strong security frameworks, continuous risk assessments, and compliance strategies is a necessity. 

Don’t wait until a breach forces your hand. The security experts at CheckRed are here to help you stay ahead of threats, ensure compliance, and fortify your cloud and SaaS environments against costly attacks. Get in touch today for a personalized demo and take control of your security!

Related Posts:

dropbox breachThe Dropbox breach – Understanding the need for robust cloud security measures major breachesThree major breaches that emphasize the need to manage third-party risk in the cloud Understanding the Latest Analysis of FY23 Risk and Vulnerability Assessments from the CISA

Sign up for monthly cybersecurity insights to stay informed and secure!

* Required