As part of a settlement with the Massachusetts attorney general in March 2011, a restaurant group agreed to pay $110,000 in civil penalties for its failure to protect customer data, including names and credit card account numbers.1 The Briar Group LLC discovered a data breach as a result of the installation of malware on its point-of-sale computer system. Upon further investigation, the attorney general found multiple security flaws in the Briar Group’s controls related to its system.
The case was the first prosecuted under the Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” (Mass 201 CMR 17),2 which went into effect in 2010 in order to implement the state’s data protection law (M.G.L. c. 93H).3 The law and regulation apply to any entity, regardless of its location, that has Massachusetts residents’ personal data stored in its IT system.4
The restaurant group has not disclosed the total cost of this incident, but the organization’s costs extend beyond the $110,000 fine to include the cost of notifying all affected parties, legal fees, and lost revenue due to consumers’ loss of confidence.
Following Massachusetts’ lead, many other states have passed laws that impose fines on companies for poor data security. To reduce the risk of running afoul of such laws, affected organizations should take the following steps to develop and implement an information security program for compliance with Mass 201 CMR 17 and similar laws of other states.
- Develop a written information security document, which includes the organization’s standards, policies, and procedures.
- Implement the procedures laid out in the written information security document.
- Periodically verify that procedures are being followed by performing assessments such as social engineering testing, Dumpster diving, penetration assessments, and technology configuration reviews.
- Review the written information security program. Management should review the program annually and update it to reflect the environment of the time.
Massachusetts’ prosecution of a company for poor data security is only the first of what is likely to be a series of similar types of prosecutions by attorneys general from other states.
For more information, please contact Raj Chaudhary at 312.899.7008 or email@example.com.
1 “Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement with AG Coakley,” news release, Office of the Attorney General of Massachusetts, rel="noopener noreferrer" March 28, 2011, http://www.mass.gov/ago/news-and-updates/press-releases/2011/restaurant-group-pay-110000-under-ag-settlement.html
2 201 CMR 17.00: Standards for the Protection of Personal rel="noopener noreferrer" Information of Residents rel="noopener noreferrer" of the Commonwealth, http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
3 rel="noopener noreferrer" Massachusetts General rel="noopener noreferrer" Law Chapter 93H, “Security Breaches,” http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H
4 For more information about Mass. 201 CMR 17, see Crowe’s compliance guide at /folio-pdf/TR12918_DataLawInsert_lo.pdf