Crown Cafe

Connecticut to Receive $67,505

(Hartford, CT) – Attorney General William Tong announced that Connecticut, along with 45 other attorneys general, has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide. Connecticut will receive $67,505.86 from the settlement.

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. More than 1,200 Connecticut residents were impacted.

Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach. A multistate investigation ensued, focusing on Carnival’s email security practices and compliance with state breach notification statutes.

“Unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays.

“It’s important that Connecticut residents are notified quickly when their information may be at risk due to a data breach” said Attorney General Tong. “This settlement sends the message that companies need to take stock of what information they maintain and take reasonable steps to protect that information. Storing large amounts of information in unmanageable formats, such as email, does not excuse delays in notifying state attorneys general or impacted individuals about a breach.”

Following the Carnival breach, Connecticut shortened the time limit for companies to provide notice of a data breach under the state’s breach notification statute from 90 days to 60 days.

Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward. Those include:

Implementation and maintenance of a breach response and notification plan;Email security training requirements for employees, including dedicated phishing exercises;Multi-factor authentication for remote email access;Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; andConsistent with past data breach settlements, undergoing an independent information security assessment.

This press release is made possible by:

Crown Cafe
Stephen Krauchick

By Stephen Krauchick

DoingItLocal is run by Steve Krauchick. Steve has always had interest with breaking news even as an early teen, opting to listen to the Watergate hearings instead of top 40 on the radio. His interest in news spread to become the communities breaking news leader in Connecticut’s Fairfield County. He strongly believes that the public has right to know what is happening in their backyard and that government needs to be transparent. Steve also likes promoting local businesses.

Leave a Reply