Tennessee Joins $1.25 Million Multistate Settlement over 2019 Carnival Cruise Line Data Breach

Nashville – Lawyer Basic Herbert H. Slatery III introduced that Tennessee, together with 45 different attorneys basic, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line after a 2019 knowledge breach that concerned the non-public data of roughly 180,000 Carnival workers and prospects nationwide. Tennessee will obtain $19,855.20 from the settlement.

In March 2020, Carnival publicly reported a knowledge breach wherein an unauthorized actor gained entry to sure Carnival worker e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, fee card data, well being data, and a comparatively small variety of Social Safety Numbers. In Tennessee, greater than two thousand Carnival workers have been impacted.

Breach notifications despatched to attorneys basic workplaces acknowledged that Carnival first grew to become conscious of suspicious e mail exercise in late Could of 2019—roughly 10 months earlier than Carnival reported the breach. A multistate investigation ensued, specializing in Carnival’s e mail safety practices and compliance with state breach notification statutes.

“Unstructured” knowledge breaches just like the Carnival breach contain private data saved through e mail and different disorganized platforms. Companies lack visibility into this knowledge, making breach notification tougher—and shopper threat rises with delays.

“Sadly, we stay in a world the place knowledge breaches will proceed to occur,” stated Basic Slatery. “What’s not inevitable is how an organization reacts. We hope this serves as a reminder: you might be required by state legislation to promptly notify these affected.”

Beneath the settlement, Carnival has agreed to a sequence of provisions designed to strengthen its e mail safety and breach response practices going ahead. These embrace:

• Implementation and upkeep of a breach response and notification plan;
• E mail safety coaching necessities for workers, together with devoted phishing workout routines;
• Multi-factor authentication for distant e mail entry;
• Password insurance policies and procedures requiring the usage of sturdy, complicated passwords, password rotation, and safe password storage;
• Upkeep of enhanced conduct analytics instruments to log and monitor potential safety occasions on the corporate’s community; and
• In keeping with previous knowledge breach settlements, present process an unbiased data safety evaluation.

Connecticut co-led the multistate investigation with Florida and Washington, assisted by Alabama, Arizona, Arkansas, Ohio, and North Carolina, and joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.

###

#22-16:  Tennessee Joins $1.25 Million Multistate Settlement over 2019 Carnival Cruise Line Information Breach