Carnival Cruise Fined for Cybersecurity Violations by New York State

Some companies transgressions can be seen as a guide of “what not to do” in terms of cybersecurity compliance: repeated violations, insufficient controls, multiple breaches yet no lessons learned, the list goes on. Carnival Cruise Line may be one of those companies. Carnival Cruise Line was fined $5 million on June 24^th, 2022, for “significant” cybersecurity violations following four security breaches from 2019 to 2021, that exposed a large amount of sensitive customer data [1]. The investigation by New York State found that the company failed to implement several mandatory safeguards required under New York law. Furthermore, the cruise line allegedly repeatedly recertified compliance with New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation even though they were not compliant. But let’s back up first and figure out how we got here.

New York’s Department of Financial Services enacted the NYDFS Cybersecurity Regulation (also known as 23 NYCRR 500) in 2017 to impose strict requirements for financial institutions to safeguard customer’s personal information. The law applies to all entities operating under or required to operate under the DFS licensure, registration or charter or are regulated by the DFS as well as covered entities including:

• State-charted banks
• Licensed lenders
• Private banks
• Foreign banks licensed to operate in New York
• Mortgage companies
• Insurance companies
• Service providers

The Regulation includes a list of requirements to safeguard information including creating a cybersecurity program, appointing a Chief Information Security Officer (CISO), implementing multi-factor authentication (MFA), conducting risk assessments, penetration tests and vulnerability assessments, among others.

Carnival Cruise Line was a licensed insurance producer in New York state and sold various insurance products, therefore was subject to DFS’s Cybersecurity Regulation law. The company failed to maintain certain safeguards required under 23 NYCRR 500 including:

• Failure to implement multi-factor authentication (MFA) despite the fact that the company suffered four data breaches between 2019 and 2021 including two ransomware attacks. Two of the breaches happened within three months of each other. Some of the information seized by hackers included passport numbers, Social Security numbers, employee credit card numbers and private health information.
• Failure to report the first breach to the Department as required by the regulation. Carnival waited 11 months to report the first breach (the breach window is 72 hours).
• Failure to conduct adequate cybersecurity training for their employees despite multiple breaches.
• Failure to implement sufficient risk-based policies and procedures designed to detect unauthorized access or use of, or tampering with, nonpublic information.
•  Failure to annually certify compliance with the Cybersecurity Regulation for 2018, 2019 and 2020 (their filing was improper due to the company failing to implement the controls listed above).

As a result, their cybersecurity compliance certifications for the Cybersecurity Regulations law were improper. Besides the $5 million dollar fine, they also agreed to surrender their insurance provider licenses. They are not allowed to sell insurance in the state of New York until further notice. Carnival Cruise Line also recently settled a lawsuit brought by 45 state attorneys general and the District of Columbia for $1.25 million due to the first data breach in 2019[2]. The DFS Superintendent, Adrienne Harris who oversaw the investigation explained the importance of protecting personal information: “A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. DFS will continue diligently enforcing its first-in-the-nation Cybersecurity Regulation to ensure that consumers’ personal, non-public, and sensitive data are protected.”[3] Companies should ensure they are fully compliant with applicable laws, or they could find themselves in a similar situation.

Review a copy of the consent order.

Also, it is worth noting that non-banking institutions, such as mortgage lenders, motor vehicle dealers, and payday lenders are now subject to compliance under the FTC Safeguards Rule.  Under this rule, these institutions must develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.  The deadline for compliance is looming and failure to comply can result in restrictions and penalties by the FTC.

[1] https://www.reuters.com/technology/carnival-is-fined-5-mln-by-new-york-over-cybersecurity-violations-2022-06-24/

[2] https://www.complianceweek.com/regulatory-enforcement/nydfs-penalizes-carnival-5m-for-cybersecurity-failures/31816.article

[3] https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202206241