State and Federal Crackdown on Data Breach: EyeMed, Carnival Cruise & CafePress Settlements

Nov 1, 2022

Reading Time : 7 min

EyeMed Email Breach Settlement

In the most recent settlement, vision services health insurance company EyeMed settled with NYDFS for $4.5 million for allegedly violating the NYDFS Cybersecurity Regulation after a July 2020 email data breach that exposed the personal data of hundreds of thousands of customers.

On July 1, 2020, EyeMed uncovered a phishing attack that gained access to a mailbox that nine employees shared access to, using the same username and password. EyeMed immediately started an investigation, blocking the unauthorized access and retaining outside breach counsel.2

From June 24, 2020 until July 1, 2020, the hacker gained access to a total of six years’ worth of emails and attachments containing consumer personal data. EyeMed began notifying the affected individuals on September 28, 2020, and reported the event to NYDFS on October 9, 2020.3

NYDFS alleged that EyeMed violated NYDFS Cybersecurity Regulation by: failing to implement a multifactor authentication (MFA) system requiring users to present multiple credentials to log in, failing to limit internal access to the email mailbox the hacker breached by allowing nine employees to share login credentials and conducting inadequate assessments with third-party vendors that did not meet the requirements for a cybersecurity risk assessment.4

As part of the settlement, EyeMed agreed to take specific actions to strengthen its cybersecurity program, including:

  • Conducting a comprehensive cybersecurity risk assessment within 180 days.
  • Identifying plans for revising controls in response to technological developments and evolving threats.
  • Determining criteria for periodic assessments of any third party service providers within the cybersecurity risk assessment.
  • Within 60 days of completing the cybersecurity risk assessment, submitting the results to NYDFS and developing a detailed action plan (subject to NYDFS approval) to address identified risks.5

Carnival CruiseMulti-State Class Action & NYDFS Settlements

NYDFS leveled its $5 million penalty against Carnival for alleged violations of the NYDFS Cybersecurity Regulation stemming from four data breaches between 2019 to 2021. Around the same time, a class action of 46 states settled with Carnival over the first of those breaches for $1.5 million.

On May 22, 2019, Carnival became aware of suspicious activity in the form of a service desk ticket indicating that a company email account was sending spam to other internal email accounts.6 An internal investigation revealed that between April 11, 2019 and July 29, 2019, hackers had gained access to 124 employee email accounts (likely using phishing emails or brute-forcing passwords) enabling the hackers to access the personal data for 180,000 Carnival employees and customers.7 The attack exposed names, addresses and other identifying information such as passport and driver’s license numbers, as well as some social security numbers and credit card information.8 At the time Carnival did not have an MFA system in place. Carnival disclosed the breach in March 2020, ten months after the May 2019 discovery.

On August 19, 2020, Carnival reported a second cybersecurity event, a ransomware attack that encrypted company information systems and exfiltrated files.9 Exposed consumer information included names, addresses, dates of birth, passport numbers and in some cases employee social security numbers and private health information.

On January 7, 2021, Carnival reported their third cybersecurity event, another ransomware attack, sent via phishing email. This ransomware encrypted a number of systems and downloaded files with customer passport numbers and birth dates, as well as employee credit card numbers.10

Carnival reported the fourth and final cybersecurity event on March 26, 2021, another phishing attack that gained access to employee credentials. This attack exposed customer and employee names, addresses, phone numbers, passport numbers, birth dates, health information and in some cases social security numbers.11

According to NYDFS, Carnival allegedly violated the NYDFS Cybersecurity Regulation by: failing to implement an MFA system, not promptly reporting the first cybersecurity event, and failing to conduct adequate cybersecurity training for employees.12 Notably, in addition to the $5 million fine, Carnival was also made to surrender its New York insurance producer licenses.13 Before now Carnival had sold various travel insurance products to New York residents, including life insurance, accident and health insurance, and variable life/variable annuities insurance.

The day before NYDFS announced its settlement with Carnival, a party of 46 states announced their own $1.5 million settlement over Carnival’s initial 2019 cyberattack.14 As part of this multistate deal, Carnival agreed to take specific steps to strengthen its cybersecurity program, including:

  • Implement a breach response and notification plan.
  • Email security training for employees, including phishing exercises.
  • Use MFA for remote access to corporate email.
  • Implement policies and procedures to require strong passwords, password storage and password rotation.
  • Enact tools to log and monitor network activity in real-time.
  • Undergo an independent information security assessment.15

Café Press FTC Settlement

Similar to Carnival’s multistate settlement, CafePress’s settlement with the FTC also mandated that the company take on specific cybersecurity protections. Stemming from alleged cybersecurity failures resulting in the online custom merchandise platform’s own 2019 breach, the FTC’s settlement also leveled a $500,000 fine, with the company neither admitting nor denying fault.16 The complaint, first announced in March 2022, was filed against Residual Pumpkin Entity (“Residual Pumpkin”) the former owner of CafePress, and PlanetArt, which bought CafePress in 2020.

In February 2019, a hacker gained access to the company’s computer systems, exposing more than 20 million customer emails and passwords, including over 180,000 social security numbers stored in plain text. Residual Pumpkin received notice of this cybersecurity event on March 11, 2019, confirmed it on March 12, and issued a patch to remediate the vulnerability the following day.17

On March 26, 2019, Residual Pumpkin investigated a rise in fraudulent orders, concluding they were made with stolen credit cards. On April 15, 2019, the company began requiring users to reset passwords.18

Between July 26 and August 5, 2019, Residual Pumpkin received further notification, both from customers and third party publications. Upon review after this publication, Residual Pumpkin confirmed CafePress account names and passwords had been exposed.19

From September 5 to October 12, 2019, Residual Pumpkin sent breach notification letters to affected customers and government agencies, and posted a banner on the CafePress website with information about the breach.20 Residual Pumpkin claimed that the April 15, 2019 password reset had prevented passwords from unauthorized use, yet until at least November 19, 2019 it had continued to allow password resets with information stolen in the breach.21 Other data breaches and encryption issues were also alleged in the consent order.22

According to the FTC, the company failed to implement reasonable security measures to protect the sensitive customer information stored on its network, specifically with the storing of social security numbers in plain text and storing data longer than necessary. The FTC also claims the company failed to adequately respond to security breaches after they occurred.

The FTC ordered specific cybersecurity protections as part of the settlement, requiring Residual Pumpkin and PlanetArt to undertake the following actions, among others:

  • Implement technical measures to monitor all networks and the assets and systems therein.
  • Implement policies and procedures to review web applications for common vulnerabilities.
  • Replace inadequate authentication measures with MFA measures.
  • Minimize the amount of data they collect and retain, and implement data deletion policies.
  • Encrypt Social Security numbers.
  • Have a third party assess information security programs and provide the FTC with a redacted copy of that assessment suitable for public disclosure.23

Takeaway

These prescriptive cybersecurity measures in settlements are not new, but part of a growing trend as government actors evolve their methods of dealing with the fallout from cyberattacks. Examples like these settlements, an FTC July blog article, as well as recent actions by the SEC demonstrate an increasing attention to detail in the examination of company information security practices. Companies should begin re-evaluating their cybersecurity programs to ensure they have the required measures and level of detail state and federal enforcers are looking for.

If you have any questions, please contact a member of the Akin Gump cybersecurity, privacy and data protection team.


1 Carnival Corp. operates Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines.

2 In the Matter of EyeMed Vision Care LLC, Consent Order, New York Dept. of Financial Services (October 18, 2022) available at https://www.dfs.ny.gov/system/files/documents/2022/10/ea20221018_eyemed.pdf.

3 Id. at 5.

4 Id. at 7. According to NYDFS, none of the assessments performed by EyeMed’s vendors addressed risk from consumer personal data stored in the mailbox the hacker breached.

5 Id. at 11-12.

6 In the Matter of Carnival Corporation d/b/a Carnival Cruise Line et al, Consent Order, New York Dept. of Financial Services (June 23, 2022), available at https://www.dfs.ny.gov/system/files/documents/2022/06/ea20220623_carnival_co.pdf.

7 Id. at 6; Off. of the Maryland Attorney Gen., Attorney General Frosh Announces $1.25 Million Multistate Settlement with Carnival Cruise Line Over 2019 Data Breach, Press Release (June 22, 2022), hereinafter “Maryland AG Press Release,” available at https://www.marylandattorneygeneral.gov/press/2022/062222.pdf.

8 Id. at 7.

9 Id.

10 Id. at 8.

11 Id.

12 Id. At 7-9.

13 Id. at 11.

14 Off. of the Connecticut Attorney Gen., Connecticut Co-Leads $1.25 Million Multistate Settlement Over 2019 Carnival Cruise Line Data Breach, Press Release (June 6, 2022), available at https://portal.ct.gov/AG/Press-Releases/2022-Press-Releases/Connecticut-Announces-Settlement-Over-2019-Carnival-Cruise-Line-Data-Breach.

15 Id.

16 In the Matter of Residual Pumpkin Entity, LLC and Planetart, LLC, Complaint, Fed. Trade Comm’n (June 23, 2022) available at https://www.ftc.gov/system/files/ftc_gov/pdf/1923209CafePressComplaint.pdf.

17 Id. at 5.

18 Id.

19 Id. at 6.

20 Id.

21 Id.

22 Id. at 7-8.

23 In the Matter of Residual Pumpkin Entity, LLC and Planetart, LLC, Decision and Order, Fed. Trade Comm’n (June 23, 2022) available at https://www.ftc.gov/system/files/ftc_gov/pdf/192%203209%20-%20CafePress%20combined%20package%20without%20signatures.pdf; Fed. Trade Comm’n, FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security, Press Release (June 24, 2022) available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.