Carnival Cruise Lines 2019 Data Breach Results in $5M to NY State, $1.2M to Other States, and an Instructive Roadmap for Privacy Compliance
As many states in the U.S. continue to push for stricter, comprehensive privacy laws and regulations, Attorneys General (AGs) are active in both enforcing their data breach laws and utilizing their deceptive trade practice authority in the privacy space.
Last week, 46 State AGs signed an Assurance of Voluntary Compliance with international cruise corporation Carnival Corporation d/b/a Carnival Cruise Line and certain related entities (collectively, “Carnival”) stemming from a 2019 data breach wherein employee email accounts purportedly exposed sensitive personal information. This data breach impacted state consumers. An Assurance of Voluntary Compliance (hereafter the “Agreement”) is a settlement agreement that is entered into between a state AG and an individual or business that the AG believes has or may in the future violate a consumer protection law(s). An assurance is not an admission of guilt; however, parties voluntarily enter into assurances that if violated will have the same force of law just like an injunction, judgment, or final court order. The payment to the states is $1.25M total.
Additionally, this week, it was announced that Carnival must pay a $5M penalty to New York state over a breach of consumer data that violated the state’s cybersecurity rules (the “New York Consent Order”) for violations under New York cybersecurity laws. Additionally, Carnival must surrender its New York state insurance licenses pursuant to the Consent Order. According to New York’s Department of Financial Services, Carnival for lapses in security technology and training and for failing to promptly disclose multiple cybersecurity incidents over a multiyear period that exposed Carnival customers’, employees’, and crew’s personal information. Although there are several forms of privacy cases each with its own unique set of facts and circumstances that factor into outcomes, both the New York Consent Order and multistate Agreement serve as useful roadmaps for companies that seek to understand and comply with AG privacy expectations, and what type of enforcement you may anticipate if a breach occurs.
In its Agreement, Carnival has agreed to comply with state laws prohibiting unfair and deceptive trade practices and certain data security and breach notification laws specifically in connection with securing Personal Information (as defined by state statutes) against Security Incidents, defined as confirmed unauthorized access to or acquisition of a Consumer’s personal information owned, licensed, or maintained by Carnival. In addition, Carnival agrees to comply with consumer protection acts with respect to representations regarding privacy and security of personal information.
Within 180 days of the effective date of the Agreement, Carnival must, among other things:
- Have in place and be prepared to maintain a comprehensive information security program, appropriate to the size and complexity of operations, nature and scope of activities, and the sensitivity of personal information.
- Employ a Chief Information Security Officer (CISO) and must further provide security awareness and privacy training to all personnel with access to the network or responsibility for personal information every year and after hiring.
- Update its written incident response and data breach notification plan to ensure compliance addressing preparation, detection and analysis, containment, eradication, and recovery workflows.
- Further develop, implement, and maintain retention of personal information policies, use email filtering and protection, establish encryption policies, and maintain an appropriate system to collect logs and monitor network activity through and establish policies to analyze security events and real time.
- Implement appropriate policies to audit accounts, ensure protected passwords, multifactor authentication for remote access, firewall policies, penetration testing, and conduct an annual risk assessment.
- Obtain a risk assessment from a third party within 18 months of the effective date of the Agreement and provide a copy to the State of Washington for review.
Although several provisions within the Agreement expire after five years, it is clear that state AGs will expect ongoing comprehensive and effective data privacy compliance programs in accordance with laws and regulations. Significant fines and continued government oversight will continue if they find a lapse in security practices.
So, What Happened?
Between 2019 and 2021, Carnival suffered four cybersecurity breaches but did not disclose the first of the breaches to New York’s Department of Financial Services within required deadlines because Carnival’s incident response plan did not include NY’s DFS notification requirement.1 The first of those breaches in 2019 that compromised 180,000 Carnival employees and customers led to the multistate investigation and subsequent Agreement from the states’ AGs. Of the four incidents, two stemmed from phishing email scams on employee emails; the other two incidents stemmed from malware attacks to Carnival’s systems.
In August 2017, New York enacted the first-in-the-nation cybersecurity regulation for financial services companies, 23 NYCRR § 500 (the “Cybersecurity Regulation”). Individuals and entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York’s banking law, insurance law, or financial services law. Carnival and its affiliated companies are licensed by NY’s DFS to sell life insurance, accident and health insurance, and variable life/variable annuities insurance in the state. As such, Carnival and its affiliated companies are considered “Covered Entities” under the Cybersecurity Regulation.2
Under the Cybersecurity Regulation, Carnival was subject to NY’s DFS notification requirement, which requires notice to the Superintendent within 72 hours of determining that a “cybersecurity event” – defined under the Cybersecurity Regulation is an act or attempt, whether or not successful, to gain unauthorized access to information stored on an information system or disrupt or misuse such information system – has occurred. The company also failed to implement two-factor authentication (“MFA”) on certain IT systems which without it, can make an organization more susceptible to system hackers. The Consent Order also stated that Carnival failed to implement the required cybersecurity awareness employee training and found that the lack of such training to be an aggravating factor in the repeated phishing scam cybersecurity events. Additionally, the Consent Order found Carnival to be in violation of the Cybersecurity Regulation annual compliance certification. Although Carnival had timely completed such certifications, because Carnival was not in fact in compliance with the Cybersecurity Regulations at the time of certification, the Consent Order declared such certifications to be improper.
These issues illustrate just how complex cybersecurity compliance can be. Companies need both IT controls and policy and procedure management. These are two very different areas (e.g., privacy v. security departments) that largely operate independently. Coordination between the two are very important in order to comply with certain data privacy laws and regulations. Here, compliance was certified by Carnival when in fact its compliance program was not considered effective and in accordance with state law(s).
Privacy and data security initiatives – and government body expectations – are going to continue to increase within the U.S. It is important to make sure that you have a comprehensive data privacy and security program in place and that you continually seek ways to further enhance your practices so that state AG scrutiny is potentially minimized later. Most importantly, CISOs should work more closely with legal and compliance to ensure that your company remains compliant with so many different cybersecurity regulations. Mapping out what controls are necessary for various cybersecurity rules that apply to your business is essential.
Contact Our Data Protection and Privacy Attorneys Today
The attorneys at Kendall PC all have experience working with national and international clients regarding the development, implementation, and ongoing auditing and monitoring of their data privacy and security programs. Our team works closely with privacy and security officers, legal and compliance departments, and government regulators. If your business needs assistance with any aspect of data protection and privacy, including assistance with internal/external investigations related to data protection and privacy, the attorneys at Kendall PC can help.
Contact us today online or at (484) 414-4093. Our firm has decades of experience serving small, emerging, and mid-size businesses throughout the United States and across the globe.
1 See 23 NYCRR § 500.17(a).
2 23 NYCRR § 500.01(c).