Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

NYDFS imposes $5 million fine against cruise line for cybersecurity violations

Privacy/Cyber Risk & Data Security State Issues NYDFS State Regulators Enforcement Settlement Data Breach 23 NYCRR Part 500

Privacy, Cyber Risk & Data Security

On June 24, NYDFS announced a consent order imposing a $5 million fine against a group of Florida-based cruise lines for alleged violations of the state’s Cybersecurity Regulation (23 NYCRR Part 500). According to a Department investigation, the companies were subject to four cybersecurity incidents between 2019 and 2021 (including two ransomware attacks). The companies determined that unauthorized parties gained access to employee email accounts, and that, through a series of phishing emails, the parties were able to access email and attachments containing personal information belonging to the companies’ consumers and employees. NYDFS claimed that although the companies were aware of the first cybersecurity event in May 2019, they failed to notify the Department as required under 23 NYCRR Part 500 until April 2020. The investigation further showed that the companies allegedly failed to implement multi-factor authentication and did not provide adequate cybersecurity training for their personnel. NYDFS determined that in addition to the penalty, since the companies were licensed insurance producers in the state at the time of the cybersecurity incidents they would be required to surrender their insurance provider licenses.

The settlement follows a $1.25 million data breach settlement reached with 45 states and the District of Columbia on June 22 (covered by InfoBytes here).