Carnival Cruise Line settles data breach case brought by 45 states over the release of personal information of 180,000 Carnival customers and employees and pays $1.25 million

Carnival Cruise Line has agreed to pay a $1.25 million settlement over a case brought by 45 state attorneys general and the District of Columbia over a 2019 data breach that involved the personal information of 180,000 Carnival employees and customers nationwide.

In March 2020, Carnival, through subsidiaries reported the breach, in which names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a small number of Social Security numbers were exposed.

Carnival said it first became aware of suspicious email activity in May 2019, 10 months before publicly announcing the incident. A multistate probe was launched, focusing on Carnival’s email security practices and compliance with data breach statutes.

On Wednesday, Carnival agreed to pay the fine for its alleged misconduct and comply with changes to strengthen its email security and breach response practices going forward, including:

  • Implementation and maintenance of breach response and notification plan;
  • Email security training requirements for employees, including dedicated phishing exercises;
  • Multifactor authentication for remote email access;
  • Password policies and procedures requiring the use of strong passwords, password rotation, and secure password storage;
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
  • Undergoing an independent information security assessment.

On top of these requirements, Carnival must employ a chief information security officer (CISO) going forward, according to the settlement The CISO must have proper credentials, background, and expertise in information security and will oversee the implementation and maintenance of the company’s information security program.

“The CISO’s responsibilities shall also include reporting any security incident impacting 500 or more consumers in the United States to the chief executive officer, chief information officer, and chief operations officer within 48 hours of discovery,” the settlement stated. “The CISO shall report security incidents to the audit committee in accordance with Carnival’s incident response plan.”

The investigation involved Connecticut, Florida, and Washington. Alabama, Arizona, Arkansas, Ohio, and North Carolina provided additional assistance and were joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.

JEFFREY NEWMAN IS A WHISTLEBLOWER LAWYER WITH THE FIRM NEWMAN & SHAPIRO WHO HANDLES MAJOR WHISTLEBLOWER CASES IN THE SECURITIES & EXCHANGE WHISTLEBLOWER PROGRAM AND FALSE CLAIMS ACT CASES. HE CAN BE REACHED AT 617-823-3217 OR JNEWMAN@NEWMANSHAPIRO.COM