A Law with Teeth
Approximately one year after the new Massachusetts Information Security Law (201 CMR 17.00) took effect, the Massachusetts Attorney General simultaneously announced the filing and settlement of a Superior Court lawsuit.
AG Coakley announced the settlement and $110,000 fine against Briar Group, LLC, owner of several Boston Area restaurants and bars. The complaint alleged that Briar Group failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.
The Final Judgment by Consent alleged that Briar Group “failed to implement basic data security measures to protect consumers’ credit and debit card information,” including by not limited to the following:
a. failing to change default usemames and passwords on its Micros Point of Sale computer system;
b. failing to change passwords in its computer network for more than five years;
c. allowing multiple employees to share common usernames and passwords;
d. failing to modify passwords after termination or resignation of employees;
e. failing to adequately control the number of employees with administrative access to Briar’s computer network;
f. failing to properly secure its remote access utilities and wireless network;
g. continuing to accept credit and debit cards from consumers when Briar knew of the data breach and failing to alert its patrons to the data breach while malcode remained on its computer system;
h. storing payment card information in clear text on its servers; and
i. failing to comply with Payment Card Industry Data Security Standards (“PCI DSS”).
In addition to the fine, Briar Group was ordered to produce a Written Information Security Program (WISP) pursuant to 201 CMR 17.00 and take other steps to protect Personal Information (PI).
Read the AG press release.