June 22, 2022
Carson
City, NV – Today, Attorney
General Aaron D. Ford announced Nevada
has obtained a $1.25 million
multistate settlement with Florida-based Carnival Cruise Line as part of a coalition of 46 attorneys general. The settlement follows an
investigation into a 2019 data breach that compromised the personal information
of approximately 180,000 Carnival employees and customers nationwide, including
2,946 Nevada residents. Nevada will receive $24,255.45 from the settlement.
In March 2020,
Carnival publicly reported a data breach in which an unauthorized actor gained
access to certain Carnival employee e-mail accounts. The breach included names,
addresses, passport numbers, driver’s license numbers, payment card
information, health information and a relatively small number of Social
Security Numbers.
“Personal information is a valuable commodity,” said
AG Ford. “Companies entrusted with this information must be diligent in
both securing the information, and letting consumers know when their
information is at risk. Timely action is crucial, and I encourage all
hospitality providers to review this settlement and update their own policies
and procedures if necessary.”
In breach
notifications sent to attorneys general offices, Carnival stated it first
became aware of suspicious email activity in late May 2019 — approximately 10
months before Carnival reported the breach. A multistate investigation ensued,
focusing on Carnival’s email security practices and compliance with state breach
notification statutes.
“Unstructured”
data breaches like the Carnival breach involve personal information stored via
email and other disorganized platforms. Businesses lack visibility into this
data, making breach notification more challenging — and delays cause a rise in consumer
risk.
Key settlement
provisions focus on Carnival’s agreement to strengthen its email security and
breach response practices going forward. Those include:
- Implementing and maintaining a breach response and
notification plan;
- Email security training requirements for employees,
including dedicated phishing exercises;
- Multi-factor authentication for remote email access;
- Password policies and procedures requiring the use of
strong, complex passwords, password rotation, and secure password storage;
- Maintaining enhanced behavior analytics tools to log
and monitor potential security events on the company’s network; and
- Undergoing an independent information security
assessment.
In joining the settlement,
Nevada joins the co-lead states of Connecticut, Florida and Washington, as well as Alabama, Alaska, Colorado,
Arizona, Arkansas, Delaware, the District of Columbia, Georgia, Hawaii, Idaho,
Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts,
Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New
Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon,
Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah,
Vermont, Virginia, West Virginia, Wisconsin and Wyoming.
###