[co-author: Joseph Hold]

This year has seen some substantial new data breach settlements including a $500,000 Federal Trade Commission (FTC) fine against CafePress, a $1.25 million multi-state class action settlement and $5 million New York Department of Financial Services (NYDFS) fine against Carnival Corporation (“Carnival”)¹ and a $4.5 million NYDFS fine against EyeMed Vision Care LLC (“EyeMed”). In an era of increasing scrutiny around cybersecurity practice, this assortment of settlements across companies in varying industries offers insight into how regulators view the application of core cyber protections, as well as their growing willingness to prescribe them.

EyeMed Email Breach Settlement

In the most recent settlement, vision services health insurance company EyeMed settled with NYDFS for $4.5 million for allegedly violating the NYDFS Cybersecurity Regulation after a July 2020 email data breach that exposed the personal data of hundreds of thousands of customers.

On July 1, 2020, EyeMed uncovered a phishing attack that gained access to a mailbox that nine employees shared access to, using the same username and password. EyeMed immediately started an investigation, blocking the unauthorized access and retaining outside breach counsel.²

From June 24, 2020 until July 1, 2020, the hacker gained access to a total of six years’ worth of emails and attachments containing consumer personal data. EyeMed began notifying the affected individuals on September 28, 2020, and reported the event to NYDFS on October 9, 2020.³

NYDFS alleged that EyeMed violated NYDFS Cybersecurity Regulation by: failing to implement a multifactor authentication (MFA) system requiring users to present multiple credentials to log in, failing to limit internal access to the email mailbox the hacker breached by allowing nine employees to share login credentials and conducting inadequate assessments with third-party vendors that did not meet the requirements for a cybersecurity risk assessment.⁴

As part of the settlement, EyeMed agreed to take specific actions to strengthen its cybersecurity program, including:

• Conducting a comprehensive cybersecurity risk assessment within 180 days.
• Identifying plans for revising controls in response to technological developments and evolving threats.
• Determining criteria for periodic assessments of any third party service providers within the cybersecurity risk assessment.
• Within 60 days of completing the cybersecurity risk assessment, submitting the results to NYDFS and developing a detailed action plan (subject to NYDFS approval) to address identified risks.⁵

Carnival CruiseMulti-State Class Action & NYDFS Settlements

NYDFS leveled its $5 million penalty against Carnival for alleged violations of the NYDFS Cybersecurity Regulation stemming from four data breaches between 2019 to 2021. Around the same time, a class action of 46 states settled with Carnival over the first of those breaches for $1.5 million.

On May 22, 2019, Carnival became aware of suspicious activity in the form of a service desk ticket indicating that a company email account was sending spam to other internal email accounts.⁶ An internal investigation revealed that between April 11, 2019 and July 29, 2019, hackers had gained access to 124 employee email accounts (likely using phishing emails or brute-forcing passwords) enabling the hackers to access the personal data for 180,000 Carnival employees and customers.⁷ The attack exposed names, addresses and other identifying information such as passport and driver’s license numbers, as well as some social security numbers and credit card information.⁸ At the time Carnival did not have an MFA system in place. Carnival disclosed the breach in March 2020, ten months after the May 2019 discovery.

On August 19, 2020, Carnival reported a second cybersecurity event, a ransomware attack that encrypted company information systems and exfiltrated files.⁹ Exposed consumer information included names, addresses, dates of birth, passport numbers and in some cases employee social security numbers and private health information.

On January 7, 2021, Carnival reported their third cybersecurity event, another ransomware attack, sent via phishing email. This ransomware encrypted a number of systems and downloaded files with customer passport numbers and birth dates, as well as employee credit card numbers.¹⁰

Carnival reported the fourth and final cybersecurity event on March 26, 2021, another phishing attack that gained access to employee credentials. This attack exposed customer and employee names, addresses, phone numbers, passport numbers, birth dates, health information and in some cases social security numbers.¹¹

According to NYDFS, Carnival allegedly violated the NYDFS Cybersecurity Regulation by: failing to implement an MFA system, not promptly reporting the first cybersecurity event, and failing to conduct adequate cybersecurity training for employees.¹² Notably, in addition to the $5 million fine, Carnival was also made to surrender its New York insurance producer licenses.¹³ Before now Carnival had sold various travel insurance products to New York residents, including life insurance, accident and health insurance, and variable life/variable annuities insurance.

The day before NYDFS announced its settlement with Carnival, a party of 46 states announced their own $1.5 million settlement over Carnival’s initial 2019 cyberattack.¹⁴ As part of this multistate deal, Carnival agreed to take specific steps to strengthen its cybersecurity program, including:

• Implement a breach response and notification plan.
• Email security training for employees, including phishing exercises.
• Use MFA for remote access to corporate email.
• Implement policies and procedures to require strong passwords, password storage and password rotation.
• Enact tools to log and monitor network activity in real-time.
• Undergo an independent information security assessment.¹⁵

Café Press FTC Settlement

Similar to Carnival’s multistate settlement, CafePress’s settlement with the FTC also mandated that the company take on specific cybersecurity protections. Stemming from alleged cybersecurity failures resulting in the online custom merchandise platform’s own 2019 breach, the FTC’s settlement also leveled a $500,000 fine, with the company neither admitting nor denying fault.¹⁶ The complaint, first announced in March 2022, was filed against Residual Pumpkin Entity (“Residual Pumpkin”) the former owner of CafePress, and PlanetArt, which bought CafePress in 2020.

In February 2019, a hacker gained access to the company’s computer systems, exposing more than 20 million customer emails and passwords, including over 180,000 social security numbers stored in plain text. Residual Pumpkin received notice of this cybersecurity event on March 11, 2019, confirmed it on March 12, and issued a patch to remediate the vulnerability the following day.¹⁷

On March 26, 2019, Residual Pumpkin investigated a rise in fraudulent orders, concluding they were made with stolen credit cards. On April 15, 2019, the company began requiring users to reset passwords.¹⁸

Between July 26 and August 5, 2019, Residual Pumpkin received further notification, both from customers and third party publications. Upon review after this publication, Residual Pumpkin confirmed CafePress account names and passwords had been exposed.¹⁹

From September 5 to October 12, 2019, Residual Pumpkin sent breach notification letters to affected customers and government agencies, and posted a banner on the CafePress website with information about the breach.²⁰ Residual Pumpkin claimed that the April 15, 2019 password reset had prevented passwords from unauthorized use, yet until at least November 19, 2019 it had continued to allow password resets with information stolen in the breach.²¹ Other data breaches and encryption issues were also alleged in the consent order.²²

According to the FTC, the company failed to implement reasonable security measures to protect the sensitive customer information stored on its network, specifically with the storing of social security numbers in plain text and storing data longer than necessary. The FTC also claims the company failed to adequately respond to security breaches after they occurred.

The FTC ordered specific cybersecurity protections as part of the settlement, requiring Residual Pumpkin and PlanetArt to undertake the following actions, among others:

• Implement technical measures to monitor all networks and the assets and systems therein.
• Implement policies and procedures to review web applications for common vulnerabilities.
• Replace inadequate authentication measures with MFA measures.
• Minimize the amount of data they collect and retain, and implement data deletion policies.
• Encrypt Social Security numbers.
• Have a third party assess information security programs and provide the FTC with a redacted copy of that assessment suitable for public disclosure.²³

Takeaway

These prescriptive cybersecurity measures in settlements are not new, but part of a growing trend as government actors evolve their methods of dealing with the fallout from cyberattacks. Examples like these settlements, an FTC July blog article, as well as recent actions by the SEC demonstrate an increasing attention to detail in the examination of company information security practices. Companies should begin re-evaluating their cybersecurity programs to ensure they have the required measures and level of detail state and federal enforcers are looking for.

¹ Carnival Corp. operates Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines.

² In the Matter of EyeMed Vision Care LLC, Consent Order, New York Dept. of Financial Services (October 18, 2022) available at https://www.dfs.ny.gov/system/files/documents/2022/10/ea20221018_eyemed.pdf.

³ Id. at 5.

⁴ Id. at 7. According to NYDFS, none of the assessments performed by EyeMed’s vendors addressed risk from consumer personal data stored in the mailbox the hacker breached.

⁵ Id. at 11-12.

⁶ In the Matter of Carnival Corporation d/b/a Carnival Cruise Line et al, Consent Order, New York Dept. of Financial Services (June 23, 2022), available at https://www.dfs.ny.gov/system/files/documents/2022/06/ea20220623_carnival_co.pdf.

⁷ Id. at 6; Off. of the Maryland Attorney Gen., Attorney General Frosh Announces $1.25 Million Multistate Settlement with Carnival Cruise Line Over 2019 Data Breach, Press Release (June 22, 2022), hereinafter “Maryland AG Press Release,” available at https://www.marylandattorneygeneral.gov/press/2022/062222.pdf.

⁸ Id. at 7.

⁹ Id.

¹⁰ Id. at 8.

¹¹ Id.

¹² Id. At 7-9.

¹³ Id. at 11.

¹⁴ Off. of the Connecticut Attorney Gen., Connecticut Co-Leads $1.25 Million Multistate Settlement Over 2019 Carnival Cruise Line Data Breach, Press Release (June 6, 2022), available at https://portal.ct.gov/AG/Press-Releases/2022-Press-Releases/Connecticut-Announces-Settlement-Over-2019-Carnival-Cruise-Line-Data-Breach.

¹⁵ Id.

¹⁶ In the Matter of Residual Pumpkin Entity, LLC and Planetart, LLC, Complaint, Fed. Trade Comm’n (June 23, 2022) available at https://www.ftc.gov/system/files/ftc_gov/pdf/1923209CafePressComplaint.pdf.

¹⁷ Id. at 5.

¹⁸ Id.

¹⁹ Id. at 6.

²⁰ Id.

²¹ Id.

²² Id. at 7-8.

²³ In the Matter of Residual Pumpkin Entity, LLC and Planetart, LLC, Decision and Order, Fed. Trade Comm’n (June 23, 2022) available at https://www.ftc.gov/system/files/ftc_gov/pdf/192%203209%20-%20CafePress%20combined%20package%20without%20signatures.pdf; Fed. Trade Comm’n, FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security, Press Release (June 24, 2022) available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0