State news

Connecticut, 45 other states, agree to settlement with Carnival Cruise Line

Connecticut, along with 45 other states, have agreed to a $1.25 million settlement with Florida-based Carnival Cruise Line stemming from a 2019 data breach that involved the personal information of about 180,000 Carnival employees and customers nationwide. Connecticut will receive $67,500 from the settlement.

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a relatively small number of Social Security Numbers. More than 1,200 Connecticut residents were impacted.

Breach notifications sent to attorneys general offices stated that Carnival first became aware of suspicious email activity in late May of 2019—approximately 10 months before Carnival reported the breach. A multistate investigation then focused on Carnival’s email security practices and compliance with state breach notification statutes.

Officials say “unstructured” data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays.

Following the Carnival breach, Connecticut shortened the time limit for companies to provide notice of a data breach under the state’s breach notification statute from 90 days to 60 days.

Under the settlement, Carnival has agreed to a series of provisions designed to strengthen its email security and breach response practices going forward.

Connecticut co-led the multistate investigation.

Now Playing

Rock Facebook




Artist Profile

Concert Calendar

Community Calendar