Superintendent of the Department of Financial Services, Adrienne A. Harris, announced today that Carnival Corporation d/b/a Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (collectively, the “Carnival Companies”) will pay a $5 million penalty to New York State for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including New York consumers.

“A data breach exposing personal data allows bad actors to, among other things, commit identity theft, which can have significant repercussions on an individual’s financial health. It is critical that companies take appropriate action to protect consumers’ personal information,” said Superintendent Harris. “DFS will continue diligently enforcing its first-in-the-nation Cybersecurity Regulation to ensure that consumers’ personal, non-public, and sensitive data are protected.”

The Department’s investigation uncovered evidence that the Carnival Companies had been the subject of four cybersecurity events between 2019 and 2021, including two ransomware attacks. These Cybersecurity Events involved the unauthorized access of the companies’ information systems, leading to the exposure of customers’ sensitive, personal data. The Department’s investigation uncovered, among other things, that the Carnival Companies violated the DFS Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”), failing to promptly report the first Cybersecurity Event to the Department as required by the Regulation, and failing to conduct adequate cybersecurity training for their personnel.

As a result of these failures, the Carnival Companies cybersecurity compliance certifications for the calendar years 2018 through 2020 were improper. The delay in MFA implementation, together with the training and reporting failures, left Carnival Companies’ Information Systems and their consumers’ Non-Personal Information (“NPI”) extremely vulnerable to bad actors.

At the time of the incidents, the Carnival Companies were licensed insurance producers in New York State, sold various insurance products, and thus were subject to DFS’s Cybersecurity Regulation. In connection with the settlement, the Carnival Companies surrendered the insurance producer licenses, and the Department has accepted their surrender. As a result, the Carnival Companies have ceased selling insurance in the State of New York.

DFS’s Cybersecurity Regulation became effective in March 2017. The Cybersecurity Regulation was drafted with substantial industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of respondents and cybersecurity experts during the drafting period, and facilitated two rounds of notice and comment. Additional implementation time was granted for multiple provisions, and the regulation became fully effective in March 2019.

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the Conference of State Banking Supervisors (CSBS) Nonbank Model Data Security Law.

Read a copy of the consent order on the DFS website.

###