LAS VEGAS (KLAS)– On Wednesday, Attorney General Aaron D. Ford announced Nevada has obtained a $1.25 million multistate settlement with Florida-based Carnival Cruise Line as part of a coalition of 46 attorneys general.

The settlement follows an investigation into a 2019 data breach that compromised the personal information of approximately 180,000 Carnival employees and customers nationwide. Out of that number, 2,946 were Nevada residents. Nevada will receive $24,255.45 from the settlement.

In March 2020, Carnival publicly reported a data breach in which an unauthorized actor gained access to certain Carnival employee e-mail accounts. The breach included names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a small number of Social Security Numbers.

“Personal information is a valuable commodity,” said AG Ford. “Companies entrusted with this information must be diligent in both securing the information, and letting consumers know when their information is at risk. Timely action is crucial, and I encourage all hospitality providers to review this settlement and update their own policies and procedures if necessary.”

Carnival sent breach notifications to attorneys general offices stating it first became aware of suspicious email activity in late May 2019, about 10 months before Carnival reported the breach. As a result, a multistate investigation focusing on Carnival’s email security practices and compliance with state breach notification statutes happened.

Data breaches like the Carnival breach involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging resulting in delays which cause a rise in consumer risk.

Key settlement provisions focus on Carnival’s agreement to strengthen its email security and breach response practices going forward. Those include:

  • Implementing and maintaining a breach response and notification plan.
  • Email security training requirements for employees, including dedicated phishing exercises;
  • Multi-factor authentication for remote email access.
  • Password policies and procedures requiring the use of strong, complex passwords, password rotation, and secure password storage.
  • Maintaining enhanced behavior analytics tools to log and monitor potential security events on the company’s network.
  • Undergoing an independent information security assessment.