August 19, 2022

Volume XII, Number 231

Advertisement
Advertisement

August 18, 2022

Subscribe to Latest Legal News and Analysis

August 17, 2022

Subscribe to Latest Legal News and Analysis

August 16, 2022

Subscribe to Latest Legal News and Analysis

NYDFS Imposes Fine of $5 Million on Carnival for Cybersecurity Breaches

On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.  

In its consent order, the Department noted that the cybersecurity events had caused the exposure of a substantial amount of sensitive personal data belonging to Carnival’s customers, including those residing in New York. Since Carnival was licensed by the Department to sell insurance in NY State, it was treated as a covered entity under the Cybersecurity Regulation. NYDFS also found that Carnival had failed to implement basic protocols to prevent data breaches. The first cyber attack took place through a phishing email or password spray attack where unauthorized third parties gained access to 124 employee accounts and used that access to send a series of phishing emails. Although the first attack resulted in exposing certain data such as names, addresses and government identification information of consumers and employees, Carnival failed to (1) report the incident to the NYDFS for 10 months, (2) conduct adequate cybersecurity training for its personnel, and (3) implement multi-factor authentication within its internal email policy.

Between August 2020 and March 2021, Carnival reported three additional incidents, including two ransomware attacks and a phishing email where a threat actor deployed malware, accessed and encrypted certain internal information systems, and exfiltrated certain data files. These incidents led to the exposure of customers’ names, addresses, dates of birth and passport numbers, as well as employees’ names, addresses, phone numbers, Social Security numbers, private health information and credit card numbers.

Although Carnival had certified compliance with the Cybersecurity Regulation at the time of the incidents, NYDFS found that Carnival’s attestation of compliance was improper. In addition to the monetary penalty of $5 million, NYDFS also accepted Carnival’s surrender of its insurance producer license; thus, Carnival has ceased selling insurance in New York.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 182
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement