New York State’s Department of Financial Services (DFS) has fined eight auto insurance companies more than $19 million for cybersecurity lapses that exposed the personal data of New Yorkers, including driver’s license numbers and dates of birth. The breaches occurred through online quoting platforms that lacked adequate safeguards.

The settlements include payments from Farmers ($2.78M), Hagerty ($1.85M), Hartford ($3M), Infinity ($2.25M), Liberty Mutual ($2.7M), Metromile ($2.05M), Midvale Indemnity ($2M), and State Auto ($2.5M). DFS found that each failed to comply with its cybersecurity regulation requiring insurers to secure consumer data and promptly report incidents—something both Farmers and Infinity failed to do.

Under Superintendent Adrienne A. Harris, DFS has now reached 27 consent orders totaling over $144 million in penalties since its cybersecurity framework took effect in 2017.