Assurance of Voluntary Compliance

TRENTON – Acting Attorney General Matthew J. Platkin announced today that New Jersey is party to an overall $1.25 million settlement with Florida-based Carnival Cruise Line that resolves a multistate investigation into a data breach that compromised the personal information of approximately 180,000 Carnival employees and customers nationwide.

The multistate investigation determined that deficiencies in Carnival’s data security program contributed to the breach in violation of state consumer protection and personal information protection laws. The investigation also determined that Carnival did not provide adequate notice of the breach to consumers and regulators. New Jersey will receive approximately $25,097 from the settlement.

Overall, Carnival will pay the participating states a total of $1.25 million under the settlement and implement a number of new requirements that will strengthen Carnival’s email security and data breach response practices going forward.

“The data security requirements of this settlement are as important as the dollars,” said Acting Attorney General Platkin. “Businesses that electronically store the sensitive personal information of their employees and customers not only have a duty to protect that data, but must also provide prompt breach notifications to consumers when that information is compromised. If businesses fail to do so, we will hold them accountable. As a result of the states’ investigation, Carnival must now tighten up its systems and practices in order to better protect consumer privacy going forward.”

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor had gained access to certain Carnival employee e-mail accounts. As a result, employee and customer names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers were compromised. A total of 3,100 New Jersey residents were impacted.

Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.

Unstructured data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging and increasing consumer risk because of delayed breach notification.

“As consumers turn more and more to online transactions and electronic payment methods, businesses have a greater responsibility than ever to protect their privacy by maintaining effective data security measures,” said Division of Consumer Affairs Acting Director Cari Fais. “That did not happen in this particular case, but the terms of the settlement are designed to ensure that it does happen going forward.”

Under the settlement announced today, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward.

Those include:

• Implementation and maintenance of a breach response and notification plan;

• Email security training requirements for employees, including dedicated phishing exercises;

• Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;

• Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and

• Undergoing an independent information security assessment.

In addition to New Jersey, the following states’ Attorneys General participated in today’s settlement: Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, North Carolina, Ohio, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Section Chief Kashif Chand and Deputy Attorney General Gina F. Pittore of the Data Privacy & Cybersecurity Section within the Division of Law’s Affirmative Civil Enforcement Practice Group represent the State in the matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.

###