Massachusetts levied its first data security data breach fine against the ownership group of several Boston area taverns in a settlement that forces the organization to pay $110,000 for failing to secure its patrons' personal information.
Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.
The fine against the Briar Group LLC highlights the uncertainty surrounding the Commonwealth's data privacy law, 201 CMR 17, which took effect in March 2010. The Briar Group owns a number of bars and taverns in Massachusetts including The Lenox, MJ O'Connor's, Ned Devine's, The Green Briar and The Harp. Although the breach took place prior to the law taking effect, Massachusetts Attorney General Martha Coakley said the data security standards were used in the settlement.
Coakley announced the settlement Tuesday. In addition to the civil penalty, the organization must comply with Payment Card Industry Data Security Standards (PCI DSS and establish and maintain "an enhanced computer network security system."
"In this instance, the Briar Group did not take proper protections to protect customers' personal information. In addition to the payment, this agreement also works to ensure steps have been taken to protect consumer information moving forward," Coakley said.
MA 201 CMR 17 mandates that businesses, non-profits and other non-government entities follow a set of minimum data security standards to protect the personal information of Massachusetts residents, but the factors that will determine whether the AG's office pursues enforcement action following a data breach remain unclear. The AG office has said that enforcement of MA 201 CMR 17 is less likely with prompt reporting and cooperation.
According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009 when malware was discovered on Briar's computer systems allowing hackers access to customers' credit and debit card information, including names and account numbers. The malware remained on the systems for eight months before it was removed in December 2009.
The lawsuit also alleges that the Briar Group used default usernames and passwords on its point-of-sale system, making it easier for outside attackers to gain access to the sensitive data. In addition, the restaurant group allegedly let multiple employees share common usernames and passwords to access the system and it failed to secure its remote access and wireless network. The organization continued to accept credit and debit cards from consumers after it knew of the data breach.
Under the terms of the settlement, the Briar Group admitted to no wrongdoing. It has agreed to implement an information security program, develop a secure password management system and implement data security measures that meet PCI DSS.
"Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers," Coakley said.