Carnival Cruise Introduces Port Multi-State Data Breach – Privacy Protection


To print this article, all you need to do is be registered or log in to

Even as states continue to pass comprehensive privacy laws, attorneys general remain active in enforcing their data breach laws and using their deceptive marketing practices authority in the space confidentiality. Just last week, 46 States AG signed a settlement, which took the form of a voluntary compliance assurance, with international cruise line Carnival over its 2019 data breach. of employees would have exposed sensitive personal information contained in the content of the emails, thereby affecting consumers in the state. The payment to the states is $1.25 million in total.

While this regulation adds to a long list of AG privacy cases, it serves as a useful roadmap for companies wishing to stay on top of what data security expectations AGs have and what type of terms and conditions application you can expect if you experience a breach.

In its agreement, Carnival has agreed to comply with state laws prohibiting unfair and deceptive marketing practices, as well as specific data security and breach notification laws, particularly with respect to securing data. personal information (as defined by state law) from security incidents, defined as confirmed unauthorized access to or acquisition of a Consumer’s personal information owned, authorized or maintained by Carnival. It also undertakes to comply with consumer protection laws regarding declarations concerning the confidentiality and security of personal information.

Within 180 days of the Effective Date, Carnival must maintain a comprehensive information security program appropriate to the size and complexity of operations, the nature and scope of activities, and the sensitivity of personal information. Carnival must employ an information security officer and must additionally provide security and privacy awareness training to all personnel with access to the network or responsible for personal information annually and after hire. Carnival must also update its written Incident Response and Data Breach Notification Plan to ensure preparedness, detection and analysis, containment, eradication and recovery workflows are compliant.

Carnival shall further develop, implement and maintain personal information retention policies, employ email filtering and protection, establish encryption policies and maintain an appropriate system to collect logs and monitor customer activity. network and establish policies to analyze security and real-time events. Carnival shall implement appropriate policies for auditing accounts, ensuring password protection, multi-factor authentication for remote access, firewall policies, penetration testing, and performing an annual security assessment. risks. The company must also obtain a third-party risk assessment within 18 months of the effective date and provide a copy to Washington State for review.

While many of the specific provisions expire after 5 years, it should be apparent that state MAs will require detailed compliance programs and ongoing monitoring if they find any failure in security practices. Ensuring you now have a detailed security program in place and continually looking for ways to improve your security practices are valuable ways to minimize later GA scrutiny. Also note that some of the injunctive conditions are broadly applicable even beyond the specific incident in question, potentially subjecting the company to greater penalties in the event of another, albeit unrelated, security incident. .

* * * *

Join us tomorrow for State Attorneys General 102. This short 30-minute webinar picks up where State Attorneys General 101 left off and answers a number of questions regarding:

  • Pre-Trial/Investigation Notice Requirements for Attorneys General

  • Additional Information on the Scope of Attorneys General’s Investigative Power and How to Challenge an Investigation

  • Consumer complaints: differences between SAs on handling and use

register here

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


12 steps to take before and during a data breach

Godfrey & Kahn SC

Your organization, like many others, probably recognizes the serious risk a data breach poses. No one wants the personal information of their employees or benefit plan members stolen.

FTC to ‘crack down’ on Ed Tech’s use of children’s data

Global Advertising Lawyers Alliance (GALA)

The Federal Trade Commission (FTC) has unanimously approved a policy statement that emphasizes the application of the Children’s Online Privacy Protection Act (COPPA) to education technologies…


About Author

Comments are closed.