October 3, 2022

Volume XII, Number 276


September 30, 2022

Subscribe to Latest Legal News and Analysis

Carnival Cruise Line and 46 State Attorneys General Reach $6 Million Dollar Settlement Over 2019 Data Breach

Carnival Cruise Line, one of the largest international cruise lines, has agreed to pay $6 million to resolve claims brought by state attorneys general in response to a 2019 data breach. In March 2020, Carnival reported a data breach that compromised the information of approximately 180,000 of its employees and customers across the United States after an unauthorized third party gained access to several Carnival employee email accounts. Carnival’s notification letter to state attorneys general nationwide indicated that Carnival was aware of potential suspicious email activity as far back as ten months prior to the notice.

The information exposed in the data breach included addresses, names, driver’s license numbers, passport numbers, credit and debit card information, personal health information, and Social Security numbers. The data breach resulted in an investigation involving 46 states into Carnival’s email privacy and security practices, as well as its compliance with state breach notification statutes.

Last month, Carnival announced that the state attorneys’ general investigation had concluded with Carnival agreeing to pay $1.25 million to resolve claims made by 46 state attorneys general, with the attorneys general determining themselves how to split the payment amongst the affected states. Carnival also agreed to comply with the Consumer Protection Act, the Personal Protection Act, and the Security Breach Notification Act to develop and maintain more effective security and notification policies.

In addition to paying these monetary penalties, Carnival has also agreed to various remedial data measures. Carnival must review and routinely update its incident response and data breach notification plan. The plan must include measures for 1) preparation, 2) detection and analysis, 3) containment, 4) eradication, and 5) recovery. Carnival must also preserve sufficient documentation to show any investigative and responsive action taken in the event of a security incident or data breach. Carnival must also report any security incident and make the report available to the state attorneys general upon request. The settlement agreement also requires Carnival to implement and comply with procedures that the company develops to govern its retention of personal information, including deletion procedures for personal information that is no longer in use.

Carnival further agreed to additional remedial measures involving employee training. It will provide its employees with phishing training at least twice a year for the three years following the effective date of the agreement. Carnival will also provide email protection and filtering solutions for all employee email accounts to protect against SPAM, phishing attacks, and malware. Additionally, Carnival will audit the use of its individual email accounts, administrator accounts, service accounts, and vendor accounts.

To protect the company’s network access, Carnival has also agreed to implement a multi-factor authentication process for remote access. Carnival must review the company’s password policies and procedures and mandate that its employees use strong, complex passwords, password rotation, and secure password storage. Additionally, Carnival must implement firewall policies for the part of the company’s network that it owns to effectively restrict connections between external networks and its own. Carnival must then develop an annual penetration testing program designed to assess its company network’s security vulnerabilities.

The settlement agreement further requires Carnival to conduct an annual risk assessment to evaluate the effectiveness of the safeguards that it has been required to implement. The assessment must identify internal and external risks to the company’s network security and confidentiality, evaluate the adjustments made to the company’s information security program, and document the safeguards that have been implemented to combat poor security. Carnival must then provide a response with a solution that will detect unauthorized access to its company’s network. This risk assessment must be completed by a third-party professional.

The settlement agreement between Carnival and the affected states will assist Carnival in its efforts towards ensuring improved consumer privacy and network security.

Nyet Abraha also contributed to this article.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 208

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Marissa Black Litigation Attorney Squire Patton Boggs Cleveland, OH

Marissa Black is a results-oriented litigator representing clients in complex civil disputes. She has represented clients in federal and state courts throughout the US, at both the trial and appellate levels.

Before joining the firm, Marissa clerked for two years for the Honorable Dan Aaron Polster of the US District Court for the Northern District of Ohio. Before that, she was an associate at another Cleveland-based AmLaw 100 law firm.