On March 20, 2025, the New York Attorney General (“NYAG”) announced a settlement with Ohio-based Root Insurance, regarding privacy practices relating to its auto insurance online quoting tool. As part of the settlement, Root agreed to pay $975,000 and to undertake a variety of security measures, including creation of a data inventory, requiring Root to map and/or track the complete path of all data flows involving consumers’ personal information, including API calls. Root neither admits nor denies the NYAG’s findings.
Background
Root offers auto insurance and, like many auto insurers, it offers online applications for quotes. Many insurers realize that consumers don’t know their driver’s license number and Root, like others, would “prefill” that information once the user entered the user’s name and address. Root would obtain this information from a third-party data provider, and the information also included the names and driver’s license numbers of other residents at that address. That information is personal information governed by, among other requirements, New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”).
In January 2021, threat actors started targeting Root’s website to obtain this information, and, according to the complaint, targeted New York drivers, in order to use that information to claim (fraudulently) unemployment benefits. The complaint states that the attack began on January 19, 2021, and a Marketing person at Root noticed the increase of “unattributed profiles” (no indicator of how the individual had been directed to Root) on January 27, 2021. The security team was notified that day and began taking mitigation actions (including implementing CAPTCHA and blocking automated traffic). The next day, Root took additional actions, culminating in turning off the ”prefill” function.
NYAG Claims
The NYAG claimed that Root had “failed to adopt reasonable safeguards to protect the private information” (¶ 17) and “did not adequately assess the potential risks of handling private information within its public-facing web applications.” (¶ 18). The NYAG also alleged that Root had not used rate-limiting tools to prevent the repeated, automated use of the quote tool (¶ 19), and did not have adequate policies and procedures (¶ 20). As a result, the NYAG claimed that Root’s conduct violated the SHIELD Act.
The Settlement
The settlement (called an Assurance of Discontinuance) requires that Root pay $975,000 and implement an information security program. That program must include several elements: (a) a data inventory; (b) governance; (c) implementing a secure software development lifecycle; (d) authentication; web application defenses; (e) monitoring; and (f) threat response. The data inventory requirement includes not only identifying “all points at which Private Information is collected, used, stored, retrieved, transmitted, displayed, maintained, or otherwise processed” (¶ 31(a)), but also requires that Root “Map and/or track the complete path of all data flows involving Private Information, including API calls.” (¶ 31(b)).
What is an API call, and how can it be mapped or tracked?
Although the term “API” is often used in legal areas relating to privacy and security, many practitioners may have only a fuzzy notion of what the term means, unless they have hands-on experience with code development or security. An “API” or “Application Programming Interface” is a structured set of rules and/or protocols that defines clear methods for asking a piece of software to provide information, perform an action, or do something else. Although APIs may operate locally between one piece of software and another (for example for an application to make requests to an operating system), the term “API” more typically (in privacy and data security) refers to the manner in which browser software (in the case of websites) or a mobile app (in the case of mobile devices) makes a network request to a server and receives a corresponding response. APIs can be used for all sorts of things, for example: location services (geocoding, reverse geocoding, directions), payment processing (Stripe API, PayPal REST API, Square payments API), AWS (S3 storage), analytics, ad delivery, ad targeting, and many other things. Companies may also have their own first-party APIs.
The privacy issues raised by APIs include:
- The extent of data collection (APIs tend to be data hogs)
- Applicable terms and condition (what are the purposes to which the data will be put?)
- Company awareness (did Legal and Infosec approve?)
- User awareness (is the data use and collection something that the user would expect?)
“API mapping,” from a privacy standpoint, consists of using a repeatable, formalized process to understand what data is sent to the API and understanding the data lifecycle once the data is transmitted (server-side). API mapping is designed to provide a company/client with the necessary information to understand potential privacy risks and any attendant compliance obligations.
NT Analyzer, Norton Rose Fulbright’s proprietary tool suite for privacy testing, added significant API mapping capabilities to its service complement in April of 2025 in order to satisfy the new regulatory expectations from New York. The API mapping service leverages our ability to acquire network traffic with a custom AI integration to analyze various aspects of an API’s operation—from upfront data collection to backend uses and lifecycle. We anticipate using the service in other jurisdictions as part of risk assessments and general testing.