The Massachusetts Attorney General’s office (“AG”) recently announced that it had entered a consent judgment with Briar Group, LLC, a restaurant operator, due to Briar’s 2009 release of patron credit card information at the hands of computer hackers.
Briar was notified of its data breach on October 29, 2009, but did not remove the ‘malware’ from its network until December 10, 2009, all the while continuing to accept credit and debit cards from its customers. Over 125,000 transactions were impacted by the breach. The AG specified a number of grounds for its action including Briar’s failure to regularly change passwords, its failure to limit administrative access to its networks and its delay in notifying consumers of the breach while continuing to accept credit and debit cards.
The AG alleged that Briar failed to properly secure the personal information of its customers and therefore violated consumer protection laws, including M.G.L. c.93A, the Massachusetts Consumer Protection Act. Interestingly, the AG relied upon the charge card security standards erected by the Payment Card Industry trade association in arguing Briar’s deviation from acceptable industry protocol. Briar was fined $110,000, even through its claimed violations preceded Massachusetts’ new Data Privacy Act (201 CMR 17.00), which went into effect on March 1, 2010 and effectively codifies many of the standards underlying this enforcement action. In addition to the financial penalty, Briar was required to agree to expressly comply with this new privacy regulation.
As technology advances, companies and consumers must remain vigilant in protecting personal and financial information. Ongoing evaluations of systemic vulnerabilities and immediate action to resolve security lapses in advance of a breach are critical. Furthermore, the AG has made it clear that it will not tolerate delays in investigating, reporting, or resolving data breaches, and that such violations will result in significant penalties and fines. Stay tuned for updates as cases premised upon the Massachusetts Data Security Regulation make their way through the system.