UPDATE: A Massachusetts restaurant chain was the first company fined under the state’s toughest in the nation data breach law and will have to pay $110,000 in penalties, according to a statement by the Massachusetts Attorney General. The Briar Group LLC entered into a settlement with Massachsuetts Attorney General Martha Coakley over allegations that the chain failed to protect patrons’ personal information. The case stemmed from an April, 2009 incident in which a malicious program installed on Briar’s computer systems allowed unknown hackers to access customers’ credit and debit card information. That malicious code wasn’t detected and removed until December, 2009, according to a statement from the Attorney General.
In the wake of the breach, the company – which owns and operates a number of bars and restaurants in the Boston area – didn’t take reasonable steps to secure its infrastructure. Briar Group failed to change employee login information for point of sale terminals and continued to accept credit and debit cards from customers even after it learned of the breach.
Briar Group will pay the Commonwealth $110,000 in civil penalties and prove compliance with the state’s data security regulations as well as the Payment Card Industry Data Security Standards (PCI DSS). Restaurants in the Briar Group will have to have a security password management system and PCI-compliant data security measures, the Attorney General said in a statement.
In a statement, The Briar Group said that the company believes the agreement with the Massachusetts Attorney General’s office “achieves our shared goal of ensuring that our customers can use their credit cards with confidence in the security of their data.” However, the company took issue with the AG’s depiction of events, which suggested the restaurant company was slow in responding to knowledge of the breach of its corporate network. The company claimed that it voluntarily reported the breach to the Attorney General’s office at the time, engaged a security firm to vet its network security and informed credit card companies about what customer records may have been leaked to hackers. “The Briar Group believes that it acted immediately and aggressively once it was informed of the possible breach,” the company said in its statement.
The case is the first in which a violation of the Commonwealth’s data privacy law, 201 CMR 17, was prosecuted. That law, which took effect on March 1, 2010, is one of the toughest in the nation. It addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.
Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.
There was speculation prior to the announcement about when and how forcefully The Attorney General’s office would enforce 201 CMR 17.00, which encountered opposition from business groups for being too far reaching and costly to implement.
Reported incidents within the last year would seem to provide more fodder for settlements. Among them is a December, 2010 report of a breach at CitySights, a New York based sight seeing company that affected around 1,800 Massachusetts residents. However, the Attorney General’s Office has been tight lipped about which cases it will pursue and refuses to confirm or deny ongoing investigations, so it isn’t clear whether other settlements may be coming.