Cruise Line Operator Settles NYDFS Cybersecurity Violations

A cruise line operating company and its subsidiaries ("the companies") licensed to sell insurance settled New York Department of Financial Services ("NYDFS") charges for violating state cybersecurity regulations and compromising customer and employee information.

In the Consent Order, NYDFS detailed four cyberattacks against the companies that exposed consumer and employee non public information, including names, addresses, passport/drivers license numbers, and in some cases, Social Security numbers. NYDFS found that the companies failed to maintain an adequate cybersecurity program and failed to comply with additional cybersecurity regulations. As a result, NYDFS found that the companies jeopardized the integrity of their information systems and consumer non-public information.

NYDFS found that the company violated 23 NYCRR § 500.02(b)(6) ("Cybersecurity Program"), 23 NYCRR § 500.12(b) ("Multi-Factor Authentication"), 23 NYCRR § 500.14(a) ("Training and Monitoring") and 23 NYCRR § 500.17(a)-(b) ("Notices to Superintendent") (see 23 NYCRR 500 ("Cybersecurity Requirements for Financial Services Companies")).

The companies agreed to (i) pay a civil monetary penalty of $5 million, (ii) not seek reimbursement for or claim a tax deduction on the penalty and (iii) surrender any and all licenses granting the companies the authority to sell insurance to New York residents.