On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced that it had reached a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise ship operator. , for violation of Cybersecurity Regulations (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.
In its consent order, the Department noted that the cybersecurity events caused the exposure of a significant amount of sensitive personal data belonging to Carnival customers, including those residing in New York. Since Carnival was licensed by the Department to sell insurance in New York State, it has been treated as a covered entity under cybersecurity regulations. NYDFS also found that Carnival failed to implement basic protocols to prevent data breaches. The first cyberattack took place through a phishing email or password spray attack where unauthorized third parties gained access to 124 employee accounts and used this access to send a series of phishing emails. Although the first attack resulted in the exposure of certain data such as consumer and employee names, addresses, and government identification information, Carnival did not (1) report the incident to NYDFS for 10 months, (2) provided adequate cybersecurity training for its staff, and (3) implemented multi-factor authentication in its internal email policy.
Between August 2020 and March 2021, Carnival reported three additional incidents, including two ransomware attacks and a phishing email in which a malicious actor deployed malware, accessed and encrypted certain internal information systems, and exfiltrated certain data files. These incidents led to the exposure of customers’ names, addresses, dates of birth, and passport numbers, as well as the names, addresses, phone numbers, social security numbers, private health information, and credit card numbers of employees.
Although Carnival certified compliance with cybersecurity regulations at the time of the incidents, NYDFS found Carnival’s certification of compliance to be inadequate. In addition to the $5 million fine, the NYDFS also agreed to Carnival’s surrender of its insurance producer license; thus, Carnival stopped selling insurance in New York.
Copyright © 2022, Hunter Andrews Kurth LLP. All rights reserved.National Law Review, Volume XII, Number 182