Massachusetts new regulation 201CMR17.00 has claimed its first victim - The Briar Group.
The Briar Group owns restaurants and bars across Boston, and was fined for breaches that occurred in April and December of 2009.
Although the breaches occurred before the Massachusetts data security regulations went into effect (March 1, 2010), the data security standards set forth in the regulations were used in the settlement.
The judgement was signed on March 28, 2011, by the Suffolk Superior Court Judge and requires a payment of $110,000 to the Commonwealth of Massachusetts in civil penalties. They are also required to comply with Massachusetts data security regulations, comply with the Payment Card Industry Data Security Standards and establish and maintain an enhanced computer network security system.
So you are now probably wondering... What did they (the Briar Group) do to receive this judgement?
According to the lawsuit, filed in Suffolk Superior Court, "the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009.
Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share common usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach."
Martha Coakley, the Attorney General said in a statement:
“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected. In this instance, the Briar Group did not take proper protections to protect customers’ personal information. In addition to the payment, this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”
Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.
Don’t let your company be the next one caught in the Attorney General’s spotlight: Find out how NSK Inc. can help you with a Security Audit. This audit will give you a thorough analysis, assessment and audit of your company's IT Security.
Below are links to further information regarding the new regulations