Acting Attorney General Matthew Platkin announced Wednesday that New Jersey is party to a multistate, $1.25 million settlement Carnival Cruise Line stemming from a 2019 data breach.
The breach, which affected nearly 180,000 Carnival employees and customers nationwide and 3,100 New Jerseyans, led to a multistate investigation. That investigation determined that deficiencies in Carnival’s data security program contributed to the breach and violated state consumer protection and personal information protection laws. It also found that Carnival did not adequately notify consumers and regulators about the breach.
New Jersey will receive roughly $25,097 from the settlement.
“The data security requirements of this settlement are as important as the dollars,” said Platkin. “Businesses that electronically store the sensitive personal information of their employees and customers not only have a duty to protect that data, but must also provide prompt breach notifications to consumers when that information is compromised. If businesses fail to do so, we will hold them accountable. As a result of the states’ investigation, Carnival must now tighten up its systems and practices in order to better protect consumer privacy going forward.”
Carnival did not publicly report the breach until March 2020. It resulted in employee and customer names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security numbers being compromised.
“As consumers turn more and more to online transactions and electronic payment methods, businesses have a greater responsibility than ever to protect their privacy by maintaining effective data security measures,” said Division of Consumer Affairs acting Director Cari Fais. “That did not happen in this particular case, but the terms of the settlement are designed to ensure that it does happen going forward.”
Under the announced settlement, Carnival agreed to a number of provisions to strengthen its email security and breach response moving forward:
- Implementation and maintenance of a breach response and notification plan
- Email security training requirements for employees, including dedicated phishing exercises
- Password policies and procedures requiring the use of strong, complex passwords, password rotation and secure password storage
- Maintenance of enhanced behavior analytics tools to log and monitor potential security events of the company’s network
- Undergoing an independent information security assessment
In addition to New Jersey, the following states participated in the settlement: Alabama, Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Indianan, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, North Carolina, Ohio, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming.