Special thanks to our Summer Associate, Nyet Abraha, for her work on this blog.

Carnival Cruise Line, one of the largest international cruise lines, has agreed to pay $6 million to resolve claims brought by state attorneys general in response to a 2019 data breach. In March 2020, Carnival reported a data breach that compromised the information of approximately 180,000 of its employees and customers across the United States after an unauthorized third party gained access to several Carnival employee email accounts. Carnival’s notification letter to state attorneys general nationwide indicated that Carnival was aware of potential suspicious email activity as far back as ten months prior to the notice.

The information exposed in the data breach included addresses, names, driver’s license numbers, passport numbers, credit and debit card information, personal health information, and Social Security numbers. The data breach resulted in an investigation involving 46 states into Carnival’s email privacy and security practices, as well as its compliance with state breach notification statutes.

Last month, Carnival announced that the state attorneys’ general investigation had concluded with Carnival agreeing to pay $1.25 million to resolve claims made by 46 state attorneys general, with the attorneys general determining themselves how to split the payment amongst the affected states. Carnival also agreed to comply with the Consumer Protection Act, the Personal Protection Act, and the Security Breach Notification Act to develop and maintain more effective security and notification policies.

In addition to paying these monetary penalties, Carnival has also agreed to various remedial data measures. Carnival must review and routinely update its incident response and data breach notification plan. The plan must include measures for 1) preparation, 2) detection and analysis, 3) containment, 4) eradication, and 5) recovery. Carnival must also preserve sufficient documentation to show any investigative and responsive action taken in the event of a security incident or data breach. Carnival must also report any security incident and make the report available to the state attorneys general upon request. The settlement agreement also requires Carnival to implement and comply with procedures that the company develops to govern its retention of personal information, including deletion procedures for personal information that is no longer in use.

Carnival further agreed to additional remedial measures involving employee training. It will provide its employees with phishing training at least twice a year for the three years following the effective date of the agreement. Carnival will also provide email protection and filtering solutions for all employee email accounts to protect against SPAM, phishing attacks, and malware. Additionally, Carnival will audit the use of its individual email accounts, administrator accounts, service accounts, and vendor accounts.

To protect the company’s network access, Carnival has also agreed to implement a multi-factor authentication process for remote access. Carnival must review the company’s password policies and procedures and mandate that its employees use strong, complex passwords, password rotation, and secure password storage. Additionally, Carnival must implement firewall policies for the part of the company’s network that it owns to effectively restrict connections between external networks and its own. Carnival must then develop an annual penetration testing program designed to assess its company network’s security vulnerabilities.

The settlement agreement further requires Carnival to conduct an annual risk assessment to evaluate the effectiveness of the safeguards that it has been required to implement. The assessment must identify internal and external risks to the company’s network security and confidentiality, evaluate the adjustments made to the company’s information security program, and document the safeguards that have been implemented to combat poor security. Carnival must then provide a response with a solution that will detect unauthorized access to its company’s network. This risk assessment must be completed by a third-party professional.

The settlement agreement between Carnival and the affected states will assist Carnival in its efforts towards ensuring improved consumer privacy and network security. For more on this, stay tuned. CPW will be there to keep you in the loop.