Cybersecurity Fine Against Carnival Is A Reminder To Take Your Cybersecurity Obligations Seriously

June 28, 2022 at 10:34 am Leave a comment

New York’s Department of Financial Services recently announced the imposition of a $5M fine against Carnival Corporation and its subsidiaries for failing to promptly report a series of data breaches and ransomware attacks and providing inadequate cybersecurity training to its staff.  The fine is the latest example of how New York is aggressively pursuing actions against “covered entities” that don’t comply with New York’s cybersecurity regulations.

I’ve decided to use Carnival’s misfortune as a pretext for reminding you of New York’s regulations.  Even if you are not a “covered entity”, you would be well advised to be aware of New York’s mandates as they are playing a leading role in shaping industry expectations when it comes to cybersecurity programs. 

Under New York State’s regulations, a “covered entity” is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” [23 CRR-NY 500.1(c)].  This definition means that state chartered institutions as well as CUSOs that are licensed by New York State must comply with this regulation.  For example, Carnival Corporation was licensed to provide insurance in New York State, a license it surrendered following this fine.

A cybersecurity event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. [23 CRR-NY 500.1(d)]. 

Last, but not least, “covered entities” are responsible for implementing a cybersecurity framework which, at a minimum :

(1) Identifies and assesses internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information systems;

(2) Uses defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;

(3) Detects cybersecurity events;

(4) Responds to identified or detected cybersecurity events to mitigate any negative effects;

(5) Recovers from cybersecurity events and restore normal operations and services; and

(6) Fulfills applicable regulatory reporting obligations.

DFS’s latest action involved a series of data breaches and ransomware attacks against Carnival Corporation.  Carnival Corporation is a licensed insurance provider in New York State.  According to the Department, there were at least four separate cyber security incidents that were not reported to DFS within 72 hours as required under the regulations.  Covered entities must file notice of a cybersecurity event with the Department pursuant to the requirements of 23 NYCRR §§ 500.17(a)(1) and (a)(2). Section 500.17(a)(1) requires notice to the Superintendent, within 72 hours of determining there has been a cybersecurity event, when notices are “required to be provided to any government body, self-regulatory agency or any other supervisory body.” 

New York’s regulation also underscores why it is so important to understand the specific obligations in the states in which you operate.  New York has a particularly broad definition of what constitutes a reportable event since reporting obligations are triggered as soon as non-public information (NPI) is exposed to an unauthorized third party, regardless of whether or not there is evidence that the NPI was stolen or misused.  Furthermore, reporting obligations are triggered for any cybersecurity events “… that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity”.  This is a broad net and the Department has repeatedly demonstrated that it has little patience for entities that don’t follow the 72 hour mandate.

Carnival Corporation’s other mistakes shouldn’t surprise anyone responsible for overseeing their credit union’s operations in this space.   For example, there was a period during which employees with access to NPI did not have to use multifactor authentication. 

Finally, remember that every year now, every “covered entity” has an individual personally verify that it is complying with these regulations.  New York State’s latest action is the latest example of why you must take this verification seriously. 

Entry filed under: New York State, Regulatory, Technology. Tags: , , , .

The Most Important Development in DC Last Week Did the Supreme Court Just Make it Harder to Regulate the Banking Industry?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 785 other followers


%d bloggers like this: