A 1.25-million-dollar multistate settlement has been reached between Carnival Cruise Line and 45 states.
In 2019, the cruise line became suspicious of a possible data breach. Although aware of the situation, they did not publicly report it until March of 2020. According to a breach notification sent to the attorneys general offices, that was in May. Ten months after they became aware. In that breech, about 180,000 Carnival employees and customers nationwide had their names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and, in a few instances, Social Security Numbers were stollen.
Attorney General Frosh Announced the settlement yesterday saying “Consumers must be notified of a data breach involving their personal information as soon as possible so that they can take the appropriate steps to protect themselves… Businesses must quickly identify the personal information they have stockpiled and promptly notify consumers if a breach occurs. Delayed notification of data breaches increases the risk to consumers.”
Under the settlement, Carnival Cruise Line will be forced to strengthen their security by creating and using a breach response and notification plan, requiring email security training including dedicated phishing exercises and password rotation to name a few.
States included in the settlement:
- Alabama
- Alaska
- Arizona
- Arkansas
- Colorado
- Connecticut
- Delaware
- the District of Columbia
- Florida
- Georgia
- Hawaii
- Idaho
- Indiana
- Iowa
- Kansas
- Kentucky
- Louisiana
- Maine
- Massachusetts
- Michigan
- Minnesota
- Montana
- Nebraska
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- North Dakota
- North Carolina
- Ohio
- Oklahoma
- Oregon
- Pennsylvania
- Rhode Island
- South Carolina
- South Dakota
- Tennessee
- Utah
- Vermont
- Virginia
- West Virginia
- Washington
- Wisconsin
- Wyoming