Arizona, along with over 40 states, obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line, stemming from a 2019 data breach that involved the personal information of approximately 180,000 Carnival employees and customers nationwide.
Arizona will receive a meager $52,177.22 from the settlement.
In March 2020, Carnival publicly reported a data breach in which an unauthorized person gained access to certain employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and some Social Security numbers. 4,849 Arizona residents were impacted. An investigation was started after breach notifications showed Carnival only reported the incident 10 months after it happened.
Under the settlement, Carnival has agreed to strengthen its email security and breach response practices going forward. Those include:
- Implementation and maintenance of breach response and notification plan;
- Email security training requirements for employees, including dedicated phishing exercises;
- Multi-factor authentication for remote email access;
- Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage;
- Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
- Consistent with past data breach settlements, undergoing an independent information security assessment.