Wyoming Joins Multistate Settlement Over 2019 Carnival Cruise Line Data Breach for $1.25 Million Dollars

Today, Attorney General Bridget Hill announced that Wyoming (along with 45 other attorneys general) has obtained a “$1.25 million” multistate settlement with Florida-based Carnival Cruise Line as the result of a 2019 data breach involving the personal information of “180,000” Carnival employees and customers nationwide. According to a recent press release, Wyoming will receive $10,000 dollars from the settlement.

Carnival publicly reported the data breach where an “unauthorized actor” gained access to certain Carnival employee email accounts in March 2020. As the Office of the Attorney General Consumer Protection Unit reports, “The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers.” In total, one hundred and sixty-six Wyoming residents were affected.

Notifications of the breach were sent to attorneys general offices and stated that Carnival first became aware of “suspicious email activity” in late May of 2019 – approximately 10 months before Carnival reported the breach. A multistate investigation followed, focusing on Carnival’s “email security practices” and compliance with state breach notification statutes. As the Consumer Protection Unit states, “Unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays.” Under the settlement agreement, Carnival has accepted a series of provisions designed to strengthen its email security and breach response practices.

These include the following:

• Implementation and maintenance of a breach response and notification plan;
• Email security training requirements for employees, including dedicated phishing exercises;
• Multi-factor authentication for remote email access;
• Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
• Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
• Consistent with past data breach settlements, undergoing an independent information security assessment.

Connecticut, Florida, and Washington co-led the investigation, assisted by Alabama, Arizona, Arkansas, Ohio, and North Carolina, and joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.