Penalty Amount
$1,250,000
Consumers Affected
180,000
Connecticut, co-leading a multistate investigation, secured a $1.25 million settlement with Carnival Cruise Line over a 2019 data breach affecting approximately 180,000 individuals nationwide. The breach exposed sensitive data including passport numbers, driver's licenses, payment card information, and health data, with a 10-month delay in notification. Carnival agreed to implement enhanced email security measures, a breach response plan, and an independent security assessment.
Carnival must implement and maintain a breach response and notification plan, provide email security training with dedicated phishing exercises, enable multi-factor authentication for remote email access, enforce strong password policies, maintain enhanced behavior analytics tools for network monitoring, and undergo an independent information security assessment.
In-house legal teams should review vendor agreements (especially those involving data processing or sharing), customer privacy policies, and employee data handling agreements. Key clauses to scrutinize include data security provisions (particularly email account protections), breach notification timelines (to avoid delays like the 10-month lapse), data retention and disposal policies (for unstructured data like emails), and audit rights for security assessments. Changes may be needed to mandate specific email security measures (e.g., multi-factor authentication, encryption), require prompt breach notification (e.g., within 72 hours), implement regular independent security audits, enhance data inventory practices for unstructured data, and ensure compliance with all applicable state breach notification laws.
Entity
Carnival Cruise Line
Industry
Other$1.3M
New Jersey, as part of a multistate coalition, settled with Carnival Cruise Line over a 2019 data breach that compromised personal information of approximately 180,000 employees and customers nationwide. The breach resulted from deficiencies in Carnival's data security program and delayed breach notification. Carnival will pay $1.25 million and implement enhanced email security and breach response measures.
On May 11, 2026, Connecticut Attorney General William Tong led a bipartisan coalition of 21 attorneys general in submitting a comment letter to the U.S. Food and Drug Administration (FDA) urging the agency to abandon draft guidance that would ease approvals for flavored e-cigarette products. The coalition argues the guidance ignores evidence that flavored e-cigarettes disproportionately drive youth addiction and that FDA has failed to enforce existing authorization requirements for e-cigarette products. The letter references past tobacco and e-cigarette enforcement actions, including the 1998 tobacco master settlement agreement and the 2022 $438.5 million settlement with JUUL Labs.
Connecticut’s legislature passed House Bill 5312, creating new civil enforcement mechanisms for deepfake digital sexual assault, including unauthorized dissemination of synthetically created intimate images and AI-generated child pornography. The bill establishes a private right of action for victims and empowers the Connecticut Attorney General to pursue civil injunctions and penalties against abusers and platforms hosting illegal content. This builds on prior Connecticut laws criminalizing unauthorized intimate image dissemination.
Connecticut Attorney General William Tong praised final passage of House Bill 5312, which creates new civil enforcement mechanisms for deepfake digital sexual assault. The legislation allows the AG to pursue civil injunctions and penalties against platforms that disseminate illegal synthetic intimate images, including AI-generated child pornography, and establishes a private right of action for victims. The bill builds on prior Connecticut laws criminalizing unauthorized dissemination of intimate images.
$300K
Connecticut Attorney General William Tong announced a settlement with international trade platform Made-in-China to cease all U.S. sales of unlawful 'research grade' GLP-1 weight loss drugs following an investigation into direct sales to consumers without prescriptions or medical oversight. The settlement prohibits the platform from hosting GLP-1 sales to U.S. customers, requires a monitoring system to remove non-compliant listings, and imposes a $300,000 penalty suspended after an initial $30,000 payment. Additional settlements were announced with Radiance Medspa and Advanced Medical Weight Loss over compounded non-FDA approved GLP-1 drugs.
Connecticut Attorney General William Tong issued a statement on May 1, 2026, announcing the final passage of bipartisan legislation targeting youth social media addiction and artificial intelligence harms. The legislation imposes new obligations on social media companies regarding minor account settings, parental consent, and reporting, as well as requirements for AI chatbot operators and employers using automated decision tools. The statement also references ongoing enforcement actions against Meta and TikTok for allegedly designing addictive platform features for youth.