Multistate Reaches Settlement with Carnival over 2019 Data Breach

  • AGs from 46 states reached a $1.26 million settlement with Carnival Corporation and three of its subsidiaries (collectively “Carnival”) to resolve allegations that Carnival violated state consumer protection and personal information protection laws when deficiencies in its information security program contributed to a 2019 data breach that compromised the personal information of approximately 180,000 Carnival employees and customers.
  • The multistate investigation revealed that in March 2020, Carnival reported a data breach in which an unauthorized user obtained access to Carnival employee e-mail accounts. Employee and customer names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and some Social Security numbers were compromised as a result of the breach. It was also revealed that Carnival first became aware of suspicious email activity in May 2019, but did not report it for approximately 10 months.
  • In addition to paying $1.25 million to the participating states, the Assurance of Voluntary Compliance also requires that Carnival develop, implement and maintain a comprehensive information security program that contains specific security requirements. Such requirements include the development and implementation of personal information retention policies, email filtering protections, multi-factor authentication, encryption policies, logging and monitoring controls, employee privacy training, access and password controls, audit protocols, and annual risk assessments, among other things. The company must also obtain an information security risk assessment from an independent third party within 18 months of the agreement effective date.