Venyu Blog

All things being relative the first business to be fined under MASS 201 CMR 17—widely acknowledged as the toughest data breach law in the nation—was a long time coming; in fact more than a year since it first became law.

First up at the plate (and, to use, a perfectly good baseball analogy, going down swinging), is a Massachusetts restaurant chain, The Briar Group LLC which entered into a settlement with Massachusetts Attorney General Martha Coakley over allegations that the chain failed to protect patrons’ personal information. Their penalty: $110,000, proof of compliance with the state’s data security regulations as well as the Payment Card Industry Data Security Standards (PCI DSS).

According to a report in threatpost.com, the case stemmed from an April, 2009 incident in which a malicious program installed on Briar’s computer systems allowed unknown hackers to access customers’ credit and debit card information. That malicious code wasn’t detected and removed until December, 2009, according to a statement from the Attorney General.

The allegations cited that Briar Group failed to change employee login information for point of sale terminals and continued to accept credit and debit cards from customers even after it learned of the breach.

Coakley, the Attorney General said in a statement:

“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected,” AG Coakley said.  “In this instance, the Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”

From threatpost.com: In a statement The Briar Group said that the company believes the agreement with the Massachusetts Attorney General’s office “achieves our shared goal of ensuring that our customers can use their credit cards with confidence in the security of their data.” However, the company took issue with the AG’s depiction of events, which suggested the restaurant company was slow in responding to knowledge of the breach of its corporate network. The company claimed that it voluntarily reported the breach to the Attorney General’s office at the time, engaged a security firm to vet its network security and informed credit card companies about what customer records may have been leaked to hackers. “The Briar Group believes that it acted immediately and aggressively once it was informed of the possible breach,” the company said in its statement.

The case is the first in which a violation of the Commonwealth’s data privacy law, 201 CMR 17, was prosecuted. It addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.

Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.

In light of this first case, a keen and altogether self-serving recommendation: don’t let your company be the next one caught in the Attorney General’s spotlight: Find out why Venyu’s motto is: “your data made invincible.”