Carnival Cruise Line’s $1.25 Million Multistate Breach Settlement: 5 Lessons to Avoid and Mitigate Unstructured Data Breaches

Corporate email systems can often become repositories of personal information, with sensitive data elements appearing in the bodies of messages and their attachments, often with no discernable structure or organization. When employees fall victim to phishing scams and or other attacks that give threat actors access to their accounts, the “unstructured” nature of the personal information those accounts contain can make breach response especially challenging.

A multistate data breach settlement announced last week between Carnival Cruise Line and the Attorneys General of 45 states (including North Carolina’s Josh Stein) and the District of Columbia shows just how challenging. This post explores that settlement, and the lessons it teaches for companies seeking to avoid and mitigate the effect of unstructured data breaches.

The trouble for Carnival began when, in May 2019, the company discovered that unauthorized third parties actors had obtained access to over 120 of its employees’ cloud-based email accounts. Those accounts collectively contained some 180,000 Carnival employees’ and guests’ personal information, including names, Social Security numbers, government identification numbers such as passport numbers and national identity card numbers, credit card and financial account information, and health-related information.

The company launched an investigation, and some ten months later, in March 2020, notified regulators and the affected individuals that the personal information in the affected accounts “may have been accessed without authorization.” The time elapsed between the company’s discovery of the incident and its notification of individuals—which was presumably due in part to the work required to review each impacted email account and inventory the personal information it contained—prompted the coordinated multistate investigation by the AGs of North Carolina and other states.

As part of the settlement signed to resolve the AGs’ claims related to the incident, Carnival will pay a penalty of $1.25 million, implement a series of safeguards to prevent similar events from occurring in the future, and undergo an information security risk assessment by an independent third party. One notable aspect of the investigation and settlement is the AGs’ focus on the risks posed by unstructured data breaches. As AG Stein’s press release explains:

“Unstructured” data breaches . . . involve personal information stored via email and other disorganized platforms. Businesses lack visibility into this data, making breach notification more challenging—and consumer risk rises with delays.

The Carnival settlement thus teaches some important lessons for organizations seeking to avoid or mitigate unstructured data breaches.

  • Implement Multifactor Authentication

In our experience, many an email account compromise could have been avoided if multifactor authentication (MFA) had been implemented for access to the account. That safeguard—which can thwart an account compromise even if an attacker successfully steals an employee’s password—is becoming table stakes to establish “reasonable security” as required under multiple state and federal data security laws and rules. To that end, the FTC has highlighted MFA as a “basic” cybersecurity practice, and the Carnival multistate settlement requires Carnival to implement it for remote access to the company’s network.

  • Minimize the collection and retention of sensitive data

The AGs’ settlement with Carnival also requires Carnival to implement policies and procedures that require personal information only to be retained “consistent with a business need or legal requirement” and to be securely disposed of when no longer needed for those purposes.

This concept of “data minimization” is a best practice that pays big dividends in the form of reduced time, effort, and cost to investigate and respond to a breach like the one suffered by Carnival. Conversely, failing to control the collection and retention of sensitive personal information, especially in unstructured repositories like employee email accounts, can quickly cause breach investigation and response costs and timelines to balloon.

But aside from making great practical sense, data minimization is also emerging as a requirement under various state and federal privacy and data security laws. To that end, the FTC has treated holding on to personal information when it’s no longer necessary as an “unreasonable data security practice” that constitutes an unfair act or practice that violates Section 5 of the FTC Act. And the CPRA, when it comes into effect next year, will enshrine storage limitation as an express legal requirement when it comes to California residents’ personal information.

  • Avoid (or minimize) the use of unstructured repositories to collect and transmit sensitive personal information

Given the costs and headaches that can result from the compromise of an email account or other unstructured repository used to collect, store, or transmit sensitive personal information, organizations should strongly consider using alternative solutions to carry out those activities. Indeed, Attorney General Stein has been clear on this point. His office’s Annual Data Breach Report for 2021 advises organizations: “Don’t use email to send and receive personal information.”

Which alternative solutions are available and make sense will depend on the organization and its business needs, but options can include commercial file sharing services and online platforms and portals that allow personal information to be collected, transmitted, and stored in a more secure and structured manner.

  • Beef up your logging

If the use of email and other unstructured repositories to store and transmit sensitive personal information can’t be avoided entirely, a useful mitigating control can be to implement more granular and detailed logging of user activity in those repositories.

Cloud-based email platforms, for example, often allow for the logging of detailed user activities such as viewing or downloading individual mail items and attachments in an email account. If an account compromise occurs, having logs of those activities can allow the organization to narrow the scope of its investigation and response activities by reviewing only those items that the attacker actually accessed.

Without those logs, by contrast, the organization may be left only with evidence that the attacker had access to the account and the ability to view or copy all of the data it contains. In that case, the organization may need to assume that any personal information in the account could have been compromised, even though stealing individuals’ personal information may not have been the attacker’s primary purpose (they’re often instead seeking to carry out more targeted, and lucrative, wire fraud schemes). The organization will then need to undertake a time-consuming and expensive review of the contents of the account, which can lead to notification delays that are likely to draw attention from regulators.

  • Focus on employee training and awareness.

Not surprisingly, given that the incident Carnival suffered targeted its employees’ email accounts, the Carnival settlement also includes a detailed email security training and awareness requirement. To that end, the company must conduct employee training with respect to phishing and conduct periodic phishing exercises at least two times a year to bolster email security awareness. The Company’s Chief Privacy Officer is also required to report aggregated exercise failure results to the CIO and COO, and to provide additional email security training as appropriate.

Those measures recognize that for most organizations, employees and their email accounts are the weakest link when it comes to cyber defenses. As phishing attacks become more sophisticated, training employees to recognize and avoid them can be critical to avoiding unstructured data breaches.

* * * *

Implementing the steps above can help put your organization in a better position to avoid the pain associated with unstructured data breaches. If you’d like to discuss those steps, or need help formulating a strategy to implement them, please reach out to any member of our team.