Carnival Cruise Line reached a $1.25 million settlement Wednesday with 45 state attorneys general and the District of Columbia stemming from its 2019 data breach that involved the personal information of 180,000 Carnival employees and customers nationwide.

In March 2020, Carnival, through subsidiaries Holland America Line and Princess Cruises, reported the breach, in which names, addresses, passport numbers, driver’s license numbers, payment card information, health information, and a small number of Social Security numbers were exposed.

Carnival said it first became aware of suspicious email activity in May 2019, 10 months before publicly announcing the incident. A multistate probe was launched, focusing on Carnival’s email security practices and compliance with data breach statutes.

On Wednesday, Carnival agreed to pay the fine for its alleged misconduct and comply with changes to strengthen its email security and breach response practices going forward, including:

  • Implementation and maintenance of a breach response and notification plan;
  • Email security training requirements for employees, including dedicated phishing exercises;
  • Multifactor authentication for remote email access;
  • Password policies and procedures requiring the use of strong passwords, password rotation, and secure password storage;
  • Maintenance of enhanced behavior analytics tools to log and monitor potential security events on the company’s network; and
  • Undergoing an independent information security assessment.

On top of these requirements, Carnival must employ a chief information security officer (CISO) going forward, according to the settlement. The CISO must have proper credentials, background, and expertise in information security and will oversee the implementation and maintenance of the company’s information security program.

“The CISO’s responsibilities shall also include reporting any security incident impacting 500 or more consumers in the United States to the chief executive officer, chief information officer, and chief operations officer within 48 hours of discovery,” the settlement stated. “The CISO shall report security incidents to the audit committee in accordance with Carnival’s incident response plan.”

The investigation was co-led by Connecticut, Florida, and Washington. Alabama, Arizona, Arkansas, Ohio, and North Carolina provided additional assistance and were joined by Alaska, Colorado, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming.

Carnival did not respond to a request for comment.