In addition, Carnival agrees to comply with consumer protection acts with respect to representations regarding privacy and security of personal information. In its Agreement, Carnival has agreed to comply with state laws prohibiting unfair and deceptive trade practices and certain data security and breach notification laws specifically in connection with securing Personal Information (as defined by state statutes) against Security Incidents, defined as confirmed unauthorized access to or acquisition of a Consumer’s personal information owned, licensed, or maintained by Carnival. Although there are several forms of privacy cases each with its own unique set of facts and circumstances that factor into outcomes, both the New York Consent Order and multistate Agreement serve as useful roadmaps for companies that seek to understand and comply with AG privacy expectations, and what type of enforcement you may anticipate if a breach occurs. According to New York’s Department of Financial Services, Carnival for lapses in security technology and training and for failing to promptly disclose multiple cybersecurity incidents over a multiyear period that exposed Carnival customers’, employees’, and crew’s personal information. Additionally, Carnival must surrender its New York state insurance licenses pursuant to the Consent Order. The payment to the states is $1.25M total.Īdditionally, this week, it was announced that Carnival must pay a $5M penalty to New York state over a breach of consumer data that violated the state’s cybersecurity rules (the “New York Consent Order”) for violations under New York cybersecurity laws. An assurance is not an admission of guilt however, parties voluntarily enter into assurances that if violated will have the same force of law just like an injunction, judgment, or final court order. An Assurance of Voluntary Compliance (hereafter the “Agreement”) is a settlement agreement that is entered into between a state AG and an individual or business that the AG believes has or may in the future violate a consumer protection law(s). This data breach impacted state consumers. Last week, 46 State AGs signed an Assurance of Voluntary Compliance with international cruise corporation Carnival Corporation d/b/a Carnival Cruise Line and certain related entities (collectively, “Carnival”) stemming from a 2019 data breach wherein employee email accounts purportedly exposed sensitive personal information. continue to push for stricter, comprehensive privacy laws and regulations, Attorneys General (AGs) are active in both enforcing their data breach laws and utilizing their deceptive trade practice authority in the privacy space. The company did not indicate whether it paid a ransom.JCarnival Cruise Lines 2019 Data Breach Results in $5M to NY State, $1.2M to Other States, and an Instructive Roadmap for Privacy ComplianceĪs many states in the U.S. Carnival said there was no indication that personal information exposed in those attacks was misused. The attackers encrypted part of one cruise line’s IT systems and gained access to personal information about customers and employees. The Miami-headquartered company disclosed in a securities filing in April that hackers broke into its systems in August of last year and again in December. He said Carnival is making changes to improve security of its information systems.įrizzell said the company has notified the affected people and set up a call center to answer their questions. The breach comes after Carnival was hit twice last year by ransomware attacks.Ĭarnival spokesman Roger Frizzell said the company detected the latest intrusion to some of its information-technology systems on March 19 and shut down access and hired a cybersecurity company to investigate. The company declined to say how many people’s information was exposed. In a letter to customers, the company indicated that outsiders might have gained access to Social Security numbers, passport numbers, dates of birth, addresses and health information of people.
0 kommentar(er)
