New York Lawyer Basic, private information, and SHIELD Act

On March 20, 2025, the New York Lawyer Basic (“NYAG”) introduced a settlement with Ohio-based Root Insurance coverage, relating to privateness practices regarding its auto insurance coverage on-line quoting instrument.  As a part of the settlement, Root agreed to pay $975,000 and to undertake a wide range of safety measures, together with creation of an information stock, requiring Root to map and/or observe the entire path of all information flows involving customers’ private data, together with API calls.  Root neither admits nor denies the NYAG’s findings.

Background

Root presents auto insurance coverage and, like many vehicle insurers, it presents on-line purposes for quotes.  Many insurers notice that customers don’t know their driver’s license quantity and Root, like others, would “prefill” that data as soon as the person entered the person’s title and tackle.  Root would get hold of this data from a third-party information supplier, and the data additionally included the names and driver’s license numbers of different residents at that tackle.  That data is private data ruled by, amongst different necessities, New York’s Cease Hacks and Enhance Digital Knowledge Safety Act (“SHIELD Act”).

In January 2021, risk actors began concentrating on Root’s web site to acquire this data, and, in line with the grievance, focused New York drivers, to be able to use that data to say (fraudulently) unemployment advantages.  The grievance states that the assault started on January 19, 2021, and a Advertising and marketing particular person at Root seen the rise of “unattributed profiles” (no indicator of how the person had been directed to Root) on January 27, 2021.  The safety workforce was notified that day and commenced taking mitigation actions (together with implementing CAPTCHA and blocking automated visitors).  The subsequent day, Root took further actions, culminating in turning off the ”prefill” operate.

NYAG Claims

The NYAG claimed that Root had “didn’t undertake affordable safeguards to guard the personal data” (¶ 17) and “didn’t adequately assess the potential dangers of dealing with personal data inside its public-facing net purposes.”  (¶ 18).  The NYAG additionally alleged that Root had not used rate-limiting instruments to forestall the repeated, automated use of the quote instrument (¶ 19), and didn’t have enough insurance policies and procedures (¶ 20).  In consequence, the NYAG claimed that Root’s conduct violated the SHIELD Act.

The Settlement

The settlement (referred to as an Assurance of Discontinuance) requires that Root pay $975,000 and implement an data safety program.  That program should embody a number of parts:  (a) an information stock; (b) governance; (c) implementing a safe software program growth lifecycle; (d) authentication; net software defenses; (e) monitoring; and (f) risk response.  The information stock requirement contains not solely figuring out “all factors at which Non-public Data is collected, used, saved, retrieved, transmitted, displayed, maintained, or in any other case processed” (¶ 31(a)), but additionally requires that Root “Map and/or observe the entire path of all information flows involving Non-public Data, together with API calls.”  (¶ 31(b)).

What’s an API name, and the way can it’s mapped or tracked?

Though the time period “API” is usually utilized in authorized areas regarding privateness and safety, many practitioners could have solely a fuzzy notion of what the time period means, except they’ve hands-on expertise with code growth or safety.  An “API” or “Utility Programming Interface” is a structured algorithm and/or protocols that defines clear strategies for asking a chunk of software program to offer data, carry out an motion, or do one thing else.  Though APIs could function domestically between one piece of software program and one other (for instance for an software to make requests to an working system), the time period “API” extra usually (in privateness and information safety) refers back to the method wherein browser software program (within the case of internet sites) or a cellular app (within the case of cellular gadgets) makes a community request to a server and receives a corresponding response.  APIs can be utilized for all types of issues, for instance: location providers (geocoding, reverse geocoding, instructions), fee processing (Stripe API, PayPal REST API, Sq. funds API), AWS (S3 storage), analytics, advert supply, advert concentrating on, and plenty of different issues.  Firms may have their very own first-party APIs.

The privateness points raised by APIs embody:

• The extent of knowledge assortment (APIs are typically information hogs)
• Relevant phrases and situation (what are the needs to which the information shall be put?)
• Firm consciousness (did Authorized and Infosec approve?)
• Person consciousness (is the information use and assortment one thing that the person would count on?)

“API mapping,” from a privateness standpoint, consists of utilizing a repeatable, formalized course of to know what information is shipped to the API and understanding the information lifecycle as soon as the information is transmitted (server-side). API mapping is designed to offer an organization/shopper with the required data to know potential privateness dangers and any attendant compliance obligations.  

NT Analyzer, Norton Rose Fulbright’s proprietary instrument suite for privateness testing, added vital API mapping capabilities to its service complement in April of 2025 to be able to fulfill the brand new regulatory expectations from New York.  The API mapping service leverages our capacity to amass community visitors with a customized AI integration to investigate varied facets of an API’s operation—from upfront information assortment to backend makes use of and lifecycle.  We anticipate utilizing the service in different jurisdictions as a part of threat assessments and basic testing.  

On March 20, 2025, the New York Lawyer Basic (“NYAG”) introduced a settlement with Ohio-based Root Insurance coverage, relating to privateness practices regarding its auto insurance coverage on-line quoting instrument.  As a part of the settlement, Root agreed to pay $975,000 and to undertake a wide range of safety measures, together with creation of an information stock, requiring Root to map and/or observe the entire path of all information flows involving customers’ private data, together with API calls.  Root neither admits nor denies the NYAG’s findings.

Background

Root presents auto insurance coverage and, like many vehicle insurers, it presents on-line purposes for quotes.  Many insurers notice that customers don’t know their driver’s license quantity and Root, like others, would “prefill” that data as soon as the person entered the person’s title and tackle.  Root would get hold of this data from a third-party information supplier, and the data additionally included the names and driver’s license numbers of different residents at that tackle.  That data is private data ruled by, amongst different necessities, New York’s Cease Hacks and Enhance Digital Knowledge Safety Act (“SHIELD Act”).

In January 2021, risk actors began concentrating on Root’s web site to acquire this data, and, in line with the grievance, focused New York drivers, to be able to use that data to say (fraudulently) unemployment advantages.  The grievance states that the assault started on January 19, 2021, and a Advertising and marketing particular person at Root seen the rise of “unattributed profiles” (no indicator of how the person had been directed to Root) on January 27, 2021.  The safety workforce was notified that day and commenced taking mitigation actions (together with implementing CAPTCHA and blocking automated visitors).  The subsequent day, Root took further actions, culminating in turning off the ”prefill” operate.

NYAG Claims

The NYAG claimed that Root had “didn’t undertake affordable safeguards to guard the personal data” (¶ 17) and “didn’t adequately assess the potential dangers of dealing with personal data inside its public-facing net purposes.”  (¶ 18).  The NYAG additionally alleged that Root had not used rate-limiting instruments to forestall the repeated, automated use of the quote instrument (¶ 19), and didn’t have enough insurance policies and procedures (¶ 20).  In consequence, the NYAG claimed that Root’s conduct violated the SHIELD Act.

The Settlement

The settlement (referred to as an Assurance of Discontinuance) requires that Root pay $975,000 and implement an data safety program.  That program should embody a number of parts:  (a) an information stock; (b) governance; (c) implementing a safe software program growth lifecycle; (d) authentication; net software defenses; (e) monitoring; and (f) risk response.  The information stock requirement contains not solely figuring out “all factors at which Non-public Data is collected, used, saved, retrieved, transmitted, displayed, maintained, or in any other case processed” (¶ 31(a)), but additionally requires that Root “Map and/or observe the entire path of all information flows involving Non-public Data, together with API calls.”  (¶ 31(b)).

What’s an API name, and the way can it’s mapped or tracked?

Though the time period “API” is usually utilized in authorized areas regarding privateness and safety, many practitioners could have solely a fuzzy notion of what the time period means, except they’ve hands-on expertise with code growth or safety.  An “API” or “Utility Programming Interface” is a structured algorithm and/or protocols that defines clear strategies for asking a chunk of software program to offer data, carry out an motion, or do one thing else.  Though APIs could function domestically between one piece of software program and one other (for instance for an software to make requests to an working system), the time period “API” extra usually (in privateness and information safety) refers back to the method wherein browser software program (within the case of internet sites) or a cellular app (within the case of cellular gadgets) makes a community request to a server and receives a corresponding response.  APIs can be utilized for all types of issues, for instance: location providers (geocoding, reverse geocoding, instructions), fee processing (Stripe API, PayPal REST API, Sq. funds API), AWS (S3 storage), analytics, advert supply, advert concentrating on, and plenty of different issues.  Firms may have their very own first-party APIs.

The privateness points raised by APIs embody:

• The extent of knowledge assortment (APIs are typically information hogs)
• Relevant phrases and situation (what are the needs to which the information shall be put?)
• Firm consciousness (did Authorized and Infosec approve?)
• Person consciousness (is the information use and assortment one thing that the person would count on?)

“API mapping,” from a privateness standpoint, consists of utilizing a repeatable, formalized course of to know what information is shipped to the API and understanding the information lifecycle as soon as the information is transmitted (server-side). API mapping is designed to offer an organization/shopper with the required data to know potential privateness dangers and any attendant compliance obligations.  

NT Analyzer, Norton Rose Fulbright’s proprietary instrument suite for privateness testing, added vital API mapping capabilities to its service complement in April of 2025 to be able to fulfill the brand new regulatory expectations from New York.  The API mapping service leverages our capacity to amass community visitors with a customized AI integration to investigate varied facets of an API’s operation—from upfront information assortment to backend makes use of and lifecycle.  We anticipate utilizing the service in different jurisdictions as a part of threat assessments and basic testing.  

On March 20, 2025, the New York Lawyer Basic (“NYAG”) introduced a settlement with Ohio-based Root Insurance coverage, relating to privateness practices regarding its auto insurance coverage on-line quoting instrument.  As a part of the settlement, Root agreed to pay $975,000 and to undertake a wide range of safety measures, together with creation of an information stock, requiring Root to map and/or observe the entire path of all information flows involving customers’ private data, together with API calls.  Root neither admits nor denies the NYAG’s findings.

Background

Root presents auto insurance coverage and, like many vehicle insurers, it presents on-line purposes for quotes.  Many insurers notice that customers don’t know their driver’s license quantity and Root, like others, would “prefill” that data as soon as the person entered the person’s title and tackle.  Root would get hold of this data from a third-party information supplier, and the data additionally included the names and driver’s license numbers of different residents at that tackle.  That data is private data ruled by, amongst different necessities, New York’s Cease Hacks and Enhance Digital Knowledge Safety Act (“SHIELD Act”).

In January 2021, risk actors began concentrating on Root’s web site to acquire this data, and, in line with the grievance, focused New York drivers, to be able to use that data to say (fraudulently) unemployment advantages.  The grievance states that the assault started on January 19, 2021, and a Advertising and marketing particular person at Root seen the rise of “unattributed profiles” (no indicator of how the person had been directed to Root) on January 27, 2021.  The safety workforce was notified that day and commenced taking mitigation actions (together with implementing CAPTCHA and blocking automated visitors).  The subsequent day, Root took further actions, culminating in turning off the ”prefill” operate.

NYAG Claims

The NYAG claimed that Root had “didn’t undertake affordable safeguards to guard the personal data” (¶ 17) and “didn’t adequately assess the potential dangers of dealing with personal data inside its public-facing net purposes.”  (¶ 18).  The NYAG additionally alleged that Root had not used rate-limiting instruments to forestall the repeated, automated use of the quote instrument (¶ 19), and didn’t have enough insurance policies and procedures (¶ 20).  In consequence, the NYAG claimed that Root’s conduct violated the SHIELD Act.

The Settlement

The settlement (referred to as an Assurance of Discontinuance) requires that Root pay $975,000 and implement an data safety program.  That program should embody a number of parts:  (a) an information stock; (b) governance; (c) implementing a safe software program growth lifecycle; (d) authentication; net software defenses; (e) monitoring; and (f) risk response.  The information stock requirement contains not solely figuring out “all factors at which Non-public Data is collected, used, saved, retrieved, transmitted, displayed, maintained, or in any other case processed” (¶ 31(a)), but additionally requires that Root “Map and/or observe the entire path of all information flows involving Non-public Data, together with API calls.”  (¶ 31(b)).

What’s an API name, and the way can it’s mapped or tracked?

Though the time period “API” is usually utilized in authorized areas regarding privateness and safety, many practitioners could have solely a fuzzy notion of what the time period means, except they’ve hands-on expertise with code growth or safety.  An “API” or “Utility Programming Interface” is a structured algorithm and/or protocols that defines clear strategies for asking a chunk of software program to offer data, carry out an motion, or do one thing else.  Though APIs could function domestically between one piece of software program and one other (for instance for an software to make requests to an working system), the time period “API” extra usually (in privateness and information safety) refers back to the method wherein browser software program (within the case of internet sites) or a cellular app (within the case of cellular gadgets) makes a community request to a server and receives a corresponding response.  APIs can be utilized for all types of issues, for instance: location providers (geocoding, reverse geocoding, instructions), fee processing (Stripe API, PayPal REST API, Sq. funds API), AWS (S3 storage), analytics, advert supply, advert concentrating on, and plenty of different issues.  Firms may have their very own first-party APIs.

The privateness points raised by APIs embody:

• The extent of knowledge assortment (APIs are typically information hogs)
• Relevant phrases and situation (what are the needs to which the information shall be put?)
• Firm consciousness (did Authorized and Infosec approve?)
• Person consciousness (is the information use and assortment one thing that the person would count on?)

“API mapping,” from a privateness standpoint, consists of utilizing a repeatable, formalized course of to know what information is shipped to the API and understanding the information lifecycle as soon as the information is transmitted (server-side). API mapping is designed to offer an organization/shopper with the required data to know potential privateness dangers and any attendant compliance obligations.  

NT Analyzer, Norton Rose Fulbright’s proprietary instrument suite for privateness testing, added vital API mapping capabilities to its service complement in April of 2025 to be able to fulfill the brand new regulatory expectations from New York.  The API mapping service leverages our capacity to amass community visitors with a customized AI integration to investigate varied facets of an API’s operation—from upfront information assortment to backend makes use of and lifecycle.  We anticipate utilizing the service in different jurisdictions as a part of threat assessments and basic testing.  

On March 20, 2025, the New York Lawyer Basic (“NYAG”) introduced a settlement with Ohio-based Root Insurance coverage, relating to privateness practices regarding its auto insurance coverage on-line quoting instrument.  As a part of the settlement, Root agreed to pay $975,000 and to undertake a wide range of safety measures, together with creation of an information stock, requiring Root to map and/or observe the entire path of all information flows involving customers’ private data, together with API calls.  Root neither admits nor denies the NYAG’s findings.

Background

Root presents auto insurance coverage and, like many vehicle insurers, it presents on-line purposes for quotes.  Many insurers notice that customers don’t know their driver’s license quantity and Root, like others, would “prefill” that data as soon as the person entered the person’s title and tackle.  Root would get hold of this data from a third-party information supplier, and the data additionally included the names and driver’s license numbers of different residents at that tackle.  That data is private data ruled by, amongst different necessities, New York’s Cease Hacks and Enhance Digital Knowledge Safety Act (“SHIELD Act”).

In January 2021, risk actors began concentrating on Root’s web site to acquire this data, and, in line with the grievance, focused New York drivers, to be able to use that data to say (fraudulently) unemployment advantages.  The grievance states that the assault started on January 19, 2021, and a Advertising and marketing particular person at Root seen the rise of “unattributed profiles” (no indicator of how the person had been directed to Root) on January 27, 2021.  The safety workforce was notified that day and commenced taking mitigation actions (together with implementing CAPTCHA and blocking automated visitors).  The subsequent day, Root took further actions, culminating in turning off the ”prefill” operate.

NYAG Claims

The NYAG claimed that Root had “didn’t undertake affordable safeguards to guard the personal data” (¶ 17) and “didn’t adequately assess the potential dangers of dealing with personal data inside its public-facing net purposes.”  (¶ 18).  The NYAG additionally alleged that Root had not used rate-limiting instruments to forestall the repeated, automated use of the quote instrument (¶ 19), and didn’t have enough insurance policies and procedures (¶ 20).  In consequence, the NYAG claimed that Root’s conduct violated the SHIELD Act.

The Settlement

The settlement (referred to as an Assurance of Discontinuance) requires that Root pay $975,000 and implement an data safety program.  That program should embody a number of parts:  (a) an information stock; (b) governance; (c) implementing a safe software program growth lifecycle; (d) authentication; net software defenses; (e) monitoring; and (f) risk response.  The information stock requirement contains not solely figuring out “all factors at which Non-public Data is collected, used, saved, retrieved, transmitted, displayed, maintained, or in any other case processed” (¶ 31(a)), but additionally requires that Root “Map and/or observe the entire path of all information flows involving Non-public Data, together with API calls.”  (¶ 31(b)).

What’s an API name, and the way can it’s mapped or tracked?

Though the time period “API” is usually utilized in authorized areas regarding privateness and safety, many practitioners could have solely a fuzzy notion of what the time period means, except they’ve hands-on expertise with code growth or safety.  An “API” or “Utility Programming Interface” is a structured algorithm and/or protocols that defines clear strategies for asking a chunk of software program to offer data, carry out an motion, or do one thing else.  Though APIs could function domestically between one piece of software program and one other (for instance for an software to make requests to an working system), the time period “API” extra usually (in privateness and information safety) refers back to the method wherein browser software program (within the case of internet sites) or a cellular app (within the case of cellular gadgets) makes a community request to a server and receives a corresponding response.  APIs can be utilized for all types of issues, for instance: location providers (geocoding, reverse geocoding, instructions), fee processing (Stripe API, PayPal REST API, Sq. funds API), AWS (S3 storage), analytics, advert supply, advert concentrating on, and plenty of different issues.  Firms may have their very own first-party APIs.

The privateness points raised by APIs embody:

• The extent of knowledge assortment (APIs are typically information hogs)
• Relevant phrases and situation (what are the needs to which the information shall be put?)
• Firm consciousness (did Authorized and Infosec approve?)
• Person consciousness (is the information use and assortment one thing that the person would count on?)

“API mapping,” from a privateness standpoint, consists of utilizing a repeatable, formalized course of to know what information is shipped to the API and understanding the information lifecycle as soon as the information is transmitted (server-side). API mapping is designed to offer an organization/shopper with the required data to know potential privateness dangers and any attendant compliance obligations.  

NT Analyzer, Norton Rose Fulbright’s proprietary instrument suite for privateness testing, added vital API mapping capabilities to its service complement in April of 2025 to be able to fulfill the brand new regulatory expectations from New York.  The API mapping service leverages our capacity to amass community visitors with a customized AI integration to investigate varied facets of an API’s operation—from upfront information assortment to backend makes use of and lifecycle.  We anticipate utilizing the service in different jurisdictions as a part of threat assessments and basic testing.