On June 23, 2022, the New York State Department of Financial Services (NYDFS) announced the entry of a Consent Order in connection with its most recent cybersecurity enforcement action, which included a $5 million monetary penalty against Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (“Carnival Companies”), for violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (“Part 500”). In addition to the $5 million monetary penalty, the Carnival Companies also surrendered their insurance producer licenses and agreed to cease selling insurance to residents of New York.
According to the Consent Order, between 2019 and 2021, the Carnival Companies were the subject of four separate cybersecurity events, including ransomware and phishing attacks. All four of the cybersecurity events led to the exposure of nonpublic personal information (NPI) of both consumers and employees, including such information as names, addresses, birth dates, passport numbers, and in some instances, other sensitive information such as social security numbers and health information.
In connection with its investigation, NYDFS determined that the Carnival Companies violated several requirements of Part 500. These violations included a failure to report a cybersecurity event within 72 hours, a failure to maintain proper reporting requirements as part of their cybersecurity program, a failure to implement multifactor authentication, a failure to maintain policies and procedures to monitor network activity for unauthorized use, and a failure to implement proper personnel training. As a result of these violations, NYDFS also determined that the Carnival Companies’ annual cybersecurity compliance certifications from 2018-2020 were inaccurate.
In the Consent Order, NYDFS reiterated the importance of protecting consumer NPI, emphasizing the need for Covered Entities to implement and maintain effective cybersecurity programs “especially in the current digital age as criminals seek to steal consumer data and utilize the data to cause financial harm.” NYDFS highlighted that, at a minimum, cybersecurity programs must: “(1) include effective controls and secure access privileges; (2) include systems and policies in place for conducting thorough and routine cybersecurity risk assessments; and (3) provide for comprehensive training and monitoring for all employees and users, including independent contractors and vendors.” In addition, the Consent Order highlighted further organizational accountability, noting that Covered Entities must have “well-grounded governance processes in place, with adequate board reporting, to ensure senior management’s attention to securing and protecting consumer NPI and preventing Cybersecurity Event(s).”
The importance of compliance with Part 500 is further demonstrated by the amount of the monetary penalty issued by NYDFS. By way of comparison, the $5 million NYDFS penalty is in addition to the $1.25 million multistate settlement with the Carnival Companies announced on June 22, 2022. That settlement was obtained by 46 state attorneys general in relation to a 2019 data breach, which involved NPI of 180,000 consumers and Carnival Companies employees from across the nation.
The Consent Order with the Carnival Companies is the fifth settlement reached between NYDFS and Covered Entities relating to violations of Part 500. It also includes the most significant financial penalties levied against a Covered Entity for violations of Part 500. As such, it is clear that NYDFS remains committed to actively and aggressively pursuing material enforcement actions in connection with violations of Part 500. As always, Covered Entities should ensure that they understand and remain in compliance with all of the requirements of Part 500.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.