The scope of exposed data remains partially unclear. While the breach affected six million individuals globally, the Texas Attorney General's office has indicated that approximately 80,000 Texas residents may have had highly sensitive information compromised, including names, birth dates, payment information, and driver's license numbers. The full extent of what was accessed and the timeline for Carnival's discovery of the breach have not been fully detailed.
For in-house counsel and privacy officers, this investigation signals aggressive state-level enforcement on data security standards. Companies should review whether their incident response protocols meet Texas requirements and whether their security practices—particularly around employee access controls and multi-factor authentication—would withstand similar scrutiny. Carnival's offer of free credit monitoring through TransUnion may provide a template for breach response, but the CID itself suggests the state is examining whether the company's preventive measures were adequate before the breach occurred. Organizations handling Texas resident data should expect similar demands if breaches occur.