On March 20, 2025, the New York Legal professional Common (“NYAG”) introduced a settlement with Ohio-based Root Insurance coverage, relating to privateness practices referring to its auto insurance coverage on-line quoting instrument. As a part of the settlement, Root agreed to pay $975,000 and to undertake a wide range of safety measures, together with creation of a knowledge stock, requiring Root to map and/or observe the whole path of all information flows involving customers’ private data, together with API calls. Root neither admits nor denies the NYAG’s findings.
Background
Root provides auto insurance coverage and, like many vehicle insurers, it provides on-line functions for quotes. Many insurers understand that buyers don’t know their driver’s license quantity and Root, like others, would “prefill” that data as soon as the person entered the person’s title and handle. Root would acquire this data from a third-party information supplier, and the data additionally included the names and driver’s license numbers of different residents at that handle. That data is private data ruled by, amongst different necessities, New York’s Cease Hacks and Enhance Digital Information Safety Act (“SHIELD Act”).
In January 2021, menace actors began focusing on Root’s web site to acquire this data, and, in keeping with the grievance, focused New York drivers, as a way to use that data to say (fraudulently) unemployment advantages. The grievance states that the assault started on January 19, 2021, and a Advertising and marketing individual at Root observed the rise of “unattributed profiles” (no indicator of how the person had been directed to Root) on January 27, 2021. The safety staff was notified that day and commenced taking mitigation actions (together with implementing CAPTCHA and blocking automated visitors). The subsequent day, Root took extra actions, culminating in turning off the ”prefill” operate.
NYAG Claims
The NYAG claimed that Root had “did not undertake affordable safeguards to guard the non-public data” (¶ 17) and “didn’t adequately assess the potential dangers of dealing with non-public data inside its public-facing internet functions.” (¶ 18). The NYAG additionally alleged that Root had not used rate-limiting instruments to forestall the repeated, automated use of the quote instrument (¶ 19), and didn’t have sufficient insurance policies and procedures (¶ 20). Consequently, the NYAG claimed that Root’s conduct violated the SHIELD Act.
The Settlement
The settlement (known as an Assurance of Discontinuance) requires that Root pay $975,000 and implement an data safety program. That program should embody a number of components: (a) a knowledge stock; (b) governance; (c) implementing a safe software program improvement lifecycle; (d) authentication; internet utility defenses; (e) monitoring; and (f) menace response. The info stock requirement contains not solely figuring out “all factors at which Personal Info is collected, used, saved, retrieved, transmitted, displayed, maintained, or in any other case processed” (¶ 31(a)), but additionally requires that Root “Map and/or observe the whole path of all information flows involving Personal Info, together with API calls.” (¶ 31(b)).
What’s an API name, and the way can or not it’s mapped or tracked?
Though the time period “API” is usually utilized in authorized areas referring to privateness and safety, many practitioners could have solely a fuzzy notion of what the time period means, except they’ve hands-on expertise with code improvement or safety. An “API” or “Software Programming Interface” is a structured algorithm and/or protocols that defines clear strategies for asking a bit of software program to offer data, carry out an motion, or do one thing else. Though APIs could function regionally between one piece of software program and one other (for instance for an utility to make requests to an working system), the time period “API” extra usually (in privateness and information safety) refers back to the method during which browser software program (within the case of internet sites) or a cell app (within the case of cell units) makes a community request to a server and receives a corresponding response. APIs can be utilized for all kinds of issues, for instance: location companies (geocoding, reverse geocoding, instructions), fee processing (Stripe API, PayPal REST API, Sq. funds API), AWS (S3 storage), analytics, advert supply, advert focusing on, and plenty of different issues. Firms might also have their very own first-party APIs.
The privateness points raised by APIs embody:
- The extent of information assortment (APIs are typically information hogs)
- Relevant phrases and situation (what are the needs to which the info can be put?)
- Firm consciousness (did Authorized and Infosec approve?)
- Person consciousness (is the info use and assortment one thing that the person would count on?)
“API mapping,” from a privateness standpoint, consists of utilizing a repeatable, formalized course of to grasp what information is distributed to the API and understanding the info lifecycle as soon as the info is transmitted (server-side). API mapping is designed to offer an organization/shopper with the mandatory data to grasp potential privateness dangers and any attendant compliance obligations.
NT Analyzer, Norton Rose Fulbright’s proprietary instrument suite for privateness testing, added vital API mapping capabilities to its service complement in April of 2025 as a way to fulfill the brand new regulatory expectations from New York. The API mapping service leverages our means to accumulate community visitors with a customized AI integration to research varied features of an API’s operation—from upfront information assortment to backend makes use of and lifecycle. We anticipate utilizing the service in different jurisdictions as a part of danger assessments and normal testing.
On March 20, 2025, the New York Legal professional Common (“NYAG”) introduced a settlement with Ohio-based Root Insurance coverage, relating to privateness practices referring to its auto insurance coverage on-line quoting instrument. As a part of the settlement, Root agreed to pay $975,000 and to undertake a wide range of safety measures, together with creation of a knowledge stock, requiring Root to map and/or observe the whole path of all information flows involving customers’ private data, together with API calls. Root neither admits nor denies the NYAG’s findings.
Background
Root provides auto insurance coverage and, like many vehicle insurers, it provides on-line functions for quotes. Many insurers understand that buyers don’t know their driver’s license quantity and Root, like others, would “prefill” that data as soon as the person entered the person’s title and handle. Root would acquire this data from a third-party information supplier, and the data additionally included the names and driver’s license numbers of different residents at that handle. That data is private data ruled by, amongst different necessities, New York’s Cease Hacks and Enhance Digital Information Safety Act (“SHIELD Act”).
In January 2021, menace actors began focusing on Root’s web site to acquire this data, and, in keeping with the grievance, focused New York drivers, as a way to use that data to say (fraudulently) unemployment advantages. The grievance states that the assault started on January 19, 2021, and a Advertising and marketing individual at Root observed the rise of “unattributed profiles” (no indicator of how the person had been directed to Root) on January 27, 2021. The safety staff was notified that day and commenced taking mitigation actions (together with implementing CAPTCHA and blocking automated visitors). The subsequent day, Root took extra actions, culminating in turning off the ”prefill” operate.
NYAG Claims
The NYAG claimed that Root had “did not undertake affordable safeguards to guard the non-public data” (¶ 17) and “didn’t adequately assess the potential dangers of dealing with non-public data inside its public-facing internet functions.” (¶ 18). The NYAG additionally alleged that Root had not used rate-limiting instruments to forestall the repeated, automated use of the quote instrument (¶ 19), and didn’t have sufficient insurance policies and procedures (¶ 20). Consequently, the NYAG claimed that Root’s conduct violated the SHIELD Act.
The Settlement
The settlement (known as an Assurance of Discontinuance) requires that Root pay $975,000 and implement an data safety program. That program should embody a number of components: (a) a knowledge stock; (b) governance; (c) implementing a safe software program improvement lifecycle; (d) authentication; internet utility defenses; (e) monitoring; and (f) menace response. The info stock requirement contains not solely figuring out “all factors at which Personal Info is collected, used, saved, retrieved, transmitted, displayed, maintained, or in any other case processed” (¶ 31(a)), but additionally requires that Root “Map and/or observe the whole path of all information flows involving Personal Info, together with API calls.” (¶ 31(b)).
What’s an API name, and the way can or not it’s mapped or tracked?
Though the time period “API” is usually utilized in authorized areas referring to privateness and safety, many practitioners could have solely a fuzzy notion of what the time period means, except they’ve hands-on expertise with code improvement or safety. An “API” or “Software Programming Interface” is a structured algorithm and/or protocols that defines clear strategies for asking a bit of software program to offer data, carry out an motion, or do one thing else. Though APIs could function regionally between one piece of software program and one other (for instance for an utility to make requests to an working system), the time period “API” extra usually (in privateness and information safety) refers back to the method during which browser software program (within the case of internet sites) or a cell app (within the case of cell units) makes a community request to a server and receives a corresponding response. APIs can be utilized for all kinds of issues, for instance: location companies (geocoding, reverse geocoding, instructions), fee processing (Stripe API, PayPal REST API, Sq. funds API), AWS (S3 storage), analytics, advert supply, advert focusing on, and plenty of different issues. Firms might also have their very own first-party APIs.
The privateness points raised by APIs embody:
- The extent of information assortment (APIs are typically information hogs)
- Relevant phrases and situation (what are the needs to which the info can be put?)
- Firm consciousness (did Authorized and Infosec approve?)
- Person consciousness (is the info use and assortment one thing that the person would count on?)
“API mapping,” from a privateness standpoint, consists of utilizing a repeatable, formalized course of to grasp what information is distributed to the API and understanding the info lifecycle as soon as the info is transmitted (server-side). API mapping is designed to offer an organization/shopper with the mandatory data to grasp potential privateness dangers and any attendant compliance obligations.
NT Analyzer, Norton Rose Fulbright’s proprietary instrument suite for privateness testing, added vital API mapping capabilities to its service complement in April of 2025 as a way to fulfill the brand new regulatory expectations from New York. The API mapping service leverages our means to accumulate community visitors with a customized AI integration to research varied features of an API’s operation—from upfront information assortment to backend makes use of and lifecycle. We anticipate utilizing the service in different jurisdictions as a part of danger assessments and normal testing.
