State and Federal Crackdown on Data Breach: EyeMed, Carnival Cruise & CafePress Settlements | Akin Gump Strauss Hauer & Feld LLP

[co-author: Joseph Hold]

This yr has seen some substantial new knowledge breach settlements together with a $500,000 Federal Commerce Fee (FTC) wonderful in opposition to CafePress, a $1.25 million multi-state class motion settlement and $5 million New York Division of Monetary Companies (NYDFS) wonderful in opposition to Carnival Company (“Carnival”)¹ and a $4.5 million NYDFS wonderful in opposition to EyeMed Imaginative and prescient Care LLC (“EyeMed”). In an period of accelerating scrutiny round cybersecurity observe, this assortment of settlements throughout firms in various industries affords perception into how regulators view the applying of core cyber protections, in addition to their rising willingness to prescribe them.

EyeMed Electronic mail Breach Settlement

In the newest settlement, imaginative and prescient providers medical insurance firm EyeMed settled with NYDFS for $4.5 million for allegedly violating the NYDFS Cybersecurity Regulation after a July 2020 electronic mail knowledge breach that uncovered the private knowledge of lots of of hundreds of shoppers.

On July 1, 2020, EyeMed uncovered a phishing assault that gained entry to a mailbox that 9 workers shared entry to, utilizing the identical username and password. EyeMed instantly began an investigation, blocking the unauthorized entry and retaining outdoors breach counsel.²

From June 24, 2020 till July 1, 2020, the hacker gained entry to a complete of six years’ value of emails and attachments containing shopper private knowledge. EyeMed started notifying the affected people on September 28, 2020, and reported the occasion to NYDFS on October 9, 2020.³

NYDFS alleged that EyeMed violated NYDFS Cybersecurity Regulation by: failing to implement a multifactor authentication (MFA) system requiring customers to current a number of credentials to log in, failing to restrict inner entry to the e-mail mailbox the hacker breached by permitting 9 workers to share login credentials and conducting insufficient assessments with third-party distributors that didn’t meet the necessities for a cybersecurity threat evaluation.⁴

As a part of the settlement, EyeMed agreed to take particular actions to strengthen its cybersecurity program, together with:

• Conducting a complete cybersecurity threat evaluation inside 180 days.
• Figuring out plans for revising controls in response to technological developments and evolving threats.
• Figuring out standards for periodic assessments of any third social gathering service suppliers throughout the cybersecurity threat evaluation.
• Inside 60 days of finishing the cybersecurity threat evaluation, submitting the outcomes to NYDFS and growing an in depth motion plan (topic to NYDFS approval) to deal with recognized dangers.⁵

Carnival CruiseMulti-State Class Motion & NYDFS Settlements

NYDFS leveled its $5 million penalty in opposition to Carnival for alleged violations of the NYDFS Cybersecurity Regulation stemming from 4 knowledge breaches between 2019 to 2021. Across the identical time, a category motion of 46 states settled with Carnival over the primary of these breaches for $1.5 million.

On Might 22, 2019, Carnival turned conscious of suspicious exercise within the type of a service desk ticket indicating that an organization electronic mail account was sending spam to different inner electronic mail accounts.⁶ An inner investigation revealed that between April 11, 2019 and July 29, 2019, hackers had gained entry to 124 worker electronic mail accounts (seemingly utilizing phishing emails or brute-forcing passwords) enabling the hackers to entry the private knowledge for 180,000 Carnival workers and clients.⁷ The assault uncovered names, addresses and different figuring out info resembling passport and driver’s license numbers, in addition to some social safety numbers and bank card info.⁸ On the time Carnival didn’t have an MFA system in place. Carnival disclosed the breach in March 2020, ten months after the Might 2019 discovery.

On August 19, 2020, Carnival reported a second cybersecurity occasion, a ransomware assault that encrypted firm info techniques and exfiltrated information.⁹ Uncovered shopper info included names, addresses, dates of delivery, passport numbers and in some instances worker social safety numbers and personal well being info.

On January 7, 2021, Carnival reported their third cybersecurity occasion, one other ransomware assault, despatched by way of phishing electronic mail. This ransomware encrypted quite a few techniques and downloaded information with buyer passport numbers and delivery dates, in addition to worker bank card numbers.¹⁰

Carnival reported the fourth and last cybersecurity occasion on March 26, 2021, one other phishing assault that gained entry to worker credentials. This assault uncovered buyer and worker names, addresses, cellphone numbers, passport numbers, delivery dates, well being info and in some instances social safety numbers.¹¹

In keeping with NYDFS, Carnival allegedly violated the NYDFS Cybersecurity Regulation by: failing to implement an MFA system, not promptly reporting the primary cybersecurity occasion, and failing to conduct enough cybersecurity coaching for workers.¹² Notably, along with the $5 million wonderful, Carnival was additionally made to give up its New York insurance coverage producer licenses.¹³ Prior to now Carnival had bought numerous journey insurance coverage merchandise to New York residents, together with life insurance coverage, accident and medical insurance, and variable life/variable annuities insurance coverage.

The day earlier than NYDFS introduced its settlement with Carnival, a celebration of 46 states introduced their very own $1.5 million settlement over Carnival’s preliminary 2019 cyberattack.¹⁴ As a part of this multistate deal, Carnival agreed to take particular steps to strengthen its cybersecurity program, together with:

• Implement a breach response and notification plan.
• Electronic mail safety coaching for workers, together with phishing workouts.
• Use MFA for distant entry to company electronic mail.
• Implement insurance policies and procedures to require sturdy passwords, password storage and password rotation.
• Enact instruments to log and monitor community exercise in real-time.
• Bear an unbiased info safety evaluation.¹⁵

Café Press FTC Settlement

Much like Carnival’s multistate settlement, CafePress’s settlement with the FTC additionally mandated that the corporate tackle particular cybersecurity protections. Stemming from alleged cybersecurity failures ensuing within the on-line customized merchandise platform’s personal 2019 breach, the FTC’s settlement additionally leveled a $500,000 wonderful, with the corporate neither admitting nor denying fault.¹⁶ The grievance, first introduced in March 2022, was filed in opposition to Residual Pumpkin Entity (“Residual Pumpkin”) the previous proprietor of CafePress, and PlanetArt, which purchased CafePress in 2020.

In February 2019, a hacker gained entry to the corporate’s pc techniques, exposing greater than 20 million buyer emails and passwords, together with over 180,000 social safety numbers saved in plain textual content. Residual Pumpkin acquired discover of this cybersecurity occasion on March 11, 2019, confirmed it on March 12, and issued a patch to remediate the vulnerability the next day.¹⁷

On March 26, 2019, Residual Pumpkin investigated an increase in fraudulent orders, concluding they had been made with stolen bank cards. On April 15, 2019, the corporate started requiring customers to reset passwords.¹⁸

Between July 26 and August 5, 2019, Residual Pumpkin acquired additional notification, each from clients and third social gathering publications. Upon evaluation after this publication, Residual Pumpkin confirmed CafePress account names and passwords had been uncovered.¹⁹

From September 5 to October 12, 2019, Residual Pumpkin despatched breach notification letters to affected clients and authorities companies, and posted a banner on the CafePress web site with details about the breach.²⁰ Residual Pumpkin claimed that the April 15, 2019 password reset had prevented passwords from unauthorized use, but till a minimum of November 19, 2019 it had continued to permit password resets with info stolen within the breach.²¹ Different knowledge breaches and encryption points had been additionally alleged within the consent order.²²

In keeping with the FTC, the corporate didn’t implement cheap safety measures to guard the delicate buyer info saved on its community, particularly with the storing of social safety numbers in plain textual content and storing knowledge longer than crucial. The FTC additionally claims the corporate didn’t adequately reply to safety breaches after they occurred.

The FTC ordered particular cybersecurity protections as a part of the settlement, requiring Residual Pumpkin and PlanetArt to undertake the next actions, amongst others:

• Implement technical measures to watch all networks and the property and techniques therein.
• Implement insurance policies and procedures to evaluation net functions for widespread vulnerabilities.
• Substitute insufficient authentication measures with MFA measures.
• Decrease the quantity of information they accumulate and retain, and implement knowledge deletion insurance policies.
• Encrypt Social Safety numbers.
• Have a 3rd social gathering assess info safety applications and supply the FTC with a redacted copy of that evaluation appropriate for public disclosure.²³

Takeaway

These prescriptive cybersecurity measures in settlements are usually not new, however a part of a rising development as authorities actors evolve their strategies of coping with the fallout from cyberattacks. Examples like these settlements, an FTC July blog article, in addition to recent actions by the SEC display an growing consideration to element within the examination of firm info safety practices. Corporations ought to start re-evaluating their cybersecurity applications to make sure they’ve the required measures and stage of element state and federal enforcers are on the lookout for.

¹ Carnival Corp. operates Carnival Cruise Line, Princess Cruise Traces, Holland America Line, Seabourn Cruise Line, and Costa Cruise Traces.

² Within the Matter of EyeMed Imaginative and prescient Care LLC, Consent Order, New York Dept. of Monetary Companies (October 18, 2022) obtainable at https://www.dfs.ny.gov/system/files/documents/2022/10/ea20221018_eyemed.pdf.

³ Id. at 5.

⁴ Id. at 7. In keeping with NYDFS, not one of the assessments carried out by EyeMed’s distributors addressed threat from shopper private knowledge saved within the mailbox the hacker breached.

⁵ Id. at 11-12.

⁶ Within the Matter of Carnival Company d/b/a Carnival Cruise Line et al, Consent Order, New York Dept. of Monetary Companies (June 23, 2022), obtainable at https://www.dfs.ny.gov/system/files/documents/2022/06/ea20220623_carnival_co.pdf.

⁷ Id. at 6; Off. of the Maryland Lawyer Gen., Lawyer Common Frosh Publicizes $1.25 Million Multistate Settlement with Carnival Cruise Line Over 2019 Information Breach, Press Launch (June 22, 2022), hereinafter “Maryland AG Press Launch,” obtainable at https://www.marylandattorneygeneral.gov/press/2022/062222.pdf.

⁸ Id. at 7.

⁹ Id.

¹⁰ Id. at 8.

¹¹ Id.

¹² Id. At 7-9.

¹³ Id. at 11.

¹⁴ Off. of the Connecticut Lawyer Gen., Connecticut Co-Leads $1.25 Million Multistate Settlement Over 2019 Carnival Cruise Line Information Breach, Press Launch (June 6, 2022), obtainable at https://portal.ct.gov/AG/Press-Releases/2022-Press-Releases/Connecticut-Announces-Settlement-Over-2019-Carnival-Cruise-Line-Data-Breach.

¹⁵ Id.

¹⁶ Within the Matter of Residual Pumpkin Entity, LLC and Planetart, LLC, Grievance, Fed. Commerce Comm’n (June 23, 2022) obtainable at https://www.ftc.gov/system/files/ftc_gov/pdf/1923209CafePressComplaint.pdf.

¹⁷ Id. at 5.

¹⁸ Id.

¹⁹ Id. at 6.

²⁰ Id.

²¹ Id.

²² Id. at 7-8.

²³ Within the Matter of Residual Pumpkin Entity, LLC and Planetart, LLC, Determination and Order, Fed. Commerce Comm’n (June 23, 2022) obtainable at https://www.ftc.gov/system/files/ftc_gov/pdf/192%203209%20-%20CafePress%20combined%20package%20without%20signatures.pdf; Fed. Commerce Comm’n, FTC Finalizes Motion In opposition to CafePress for Protecting Up Information Breach, Lax Safety, Press Launch (June 24, 2022) obtainable at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0