On June 24, 2022, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with Carnival Corporation d/b/a Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (collectively, the “Carnival Companies”), after finding several violations of the New York State’s first-in-the nation Cybersecurity Regulation (23 NYCRR Part 500, hereinafter the “Regulations”).  The settlement, memorialized in a consent order, provides that the Carnival Companies must pay a $5 million penalty. Notably, also in connection with the settlement, the Carnival Companies agreed to surrender their New York State insurance licenses.  The story serves as a cautionary tale—a cybersecurity event that catches DFS’s attention might lead DFS to discover several underlying and unreported violations of the Regulations during its investigation into that event.

As we’ve written about before, DFS regulates a range of entities involved in the finance and insurance fields.  The Regulations were promulgated in 2017, and, as previously reported, DFS has stepped up its enforcement efforts, having already brought several enforcement actions resulting in several millions of dollars for violations.

The Carnival Companies, most obviously known for their cruises, fell within DFS’s regulatory authority because they were licensed to sell life insurance, accident and health insurance, and variable life/variable annuities insurance in New York State.  As a result, the Carnival Companies were required to comply with the Regulations, including certifying annually that they were indeed in compliance.

The story begins in May of 2019, when the Carnival Companies discovered that a company email account was sending spam to other internal email accounts.  This prompted an internal investigation, which revealed that between April and July of 2019, dozens of employee email accounts had been compromised by a phishing attack and a “password spray attack”—i.e., an attempt to gain unauthorized access to accounts by testing multiple passwords on many accounts in quick succession.  The attacks exposed non-public information (“NPI”) belonging to employees and consumers, as defined in Section 500.1(g), including passport numbers and drivers’ licenses.  Although the Carnival Companies first became aware this “cybersecurity event” in May 2019, and were thus obligated to notify DFS promptly (and in no event later than 72 hours from discovery), it failed to do so until April 2020. 

The Carnival Companies then reported three additional “cybersecurity events” within less than a year.  First, they reported suffering back-to-back ransomware attacks, in August 2020 and in January 2021. Those attacks exposed consumer and employee NPI, including names, addresses, dates of birth, passport numbers.  Then in March 2021, the Carnival Companies reported another phishing attack, which exposed an employee’s login credentials, and thus allowed unauthorized access to the same types of NPI. 

Unsurprisingly, the reporting of multiple “cybersecurity events” in such a short period caught DFS’s attention.  DFS investigated and found that the Carnival Companies violated:

• Section 500.12(b), which required the Carnival Companies to have Multi-Factor Authentication (“MFA”) in place as of March 1, 2018.  At the time of the first cybersecurity event in April 2019, the Carnival Companies still had not implemented MFA on one of their email environments. 

• Section 500.17(a), which requires covered entities to notify DFS of cybersecurity events as promptly as possible, but no later than 72 hours after discovery. Because the Carnival Companies did not report the first cybersecurity event for over a year, they violated this provision. 

• Section 500.02(b)(6), which requires covered entities to maintain a cybersecurity program that is designed to “fulfill applicable regulatory reporting obligations.”  The Carnival Companies’ incident response plan did not require them to promptly notify DFS of cybersecurity events. 

• Section 500.14, which calls for cybersecurity awareness training for all personnel.  DFS found the occurrence of four cybersecurity events in quick succession indicative of the Companies’ failure to adequately train personnel. 

• Section 500.17(b), which requires covered entities to annually certify compliance with the requirements of the Regulation.  The Carnival Companies had timely certified compliance, but because they suffered from the defects outlined above, their certifications for 2018, 2019, and 2020 were improper. 

The consequences of these violations were steep—not only a $5 million penalty, but also the surrender of insurance licenses.

Other covered entities should take note of this consent decree and ensure that they have complied with all applicable provisions of the Regulations, including the need to promptly identify and report cybersecurity events and to ensure that compliance certifications are accurate.  Failure to do so could result in hefty fines and loss of licenses.